Back to skill
Skillv1.0.0
ClawScan security
Beike Resale Housing Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 3:12 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is a narrow wrapper that calls JustOneAPI's Beike resale housing details endpoint and only requires a JustOneAPI token and node — its requirements and instructions match its stated purpose.
- Guidance
- This skill is internally consistent for calling JustOneAPI's Beike endpoint. Before installing: ensure JUST_ONE_API_TOKEN is a token you trust to give the skill access to JustOneAPI only; store the token securely (do not paste into chat); be aware the script sends the token as a query parameter (which can be exposed in logs or URLs) — if that is a concern, request an implementation that uses an Authorization header instead. Verify the base URL (https://api.justoneapi.com) is the expected provider and revoke the token if you notice unexpected activity.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) align with a simple HTTP client to JustOneAPI's /api/beike/ershoufang/detail/v1 endpoint.
- Instruction Scope
- okSKILL.md and bin/run.mjs only gather the declared inputs (cityId, houseCode, and the JUST_ONE_API_TOKEN) and perform an HTTPS GET to api.justoneapi.com; there are no instructions to read unrelated files, other env vars, or to transmit data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec and no remote downloads. The skill includes a small Node script (bin/run.mjs) and relies on an existing 'node' binary — this is proportionate for a Node-based helper.
- Credentials
- noteThe skill only requests the single JUST_ONE_API_TOKEN, which is appropriate. Note: the token is sent as a query parameter to the API (per the operation definition), which can be logged by intermediaries or servers and is generally less private than using an Authorization header — this is a security detail to be aware of but does not indicate incoherence.
- Persistence & Privilege
- okalways is false and the skill does not request any persistent system-wide privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) and acceptable for this type of integration.