Back to skill
Skillv1.0.0
ClawScan security
Bilibili User Relation Stats API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 3:12 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only needs node and a JustOneAPI token and its code and instructions match the described Bilibili API call.
- Guidance
- This skill appears to do exactly what it says: call JustOneAPI's Bilibili relation-stats endpoint using the JUST_ONE_API_TOKEN. Before installing, verify the token is obtained from the official Just One API dashboard and grant it only the minimum necessary scope. Keep the token in the environment (as instructed) and do not paste it into chat. Note: the token is sent as a query parameter (token=<value>), which some servers or logs may record—if that is a concern, confirm with JustOneAPI whether an alternative (Authorization header) is supported. If you want extra assurance, inspect bin/run.mjs locally and run it in a restricted environment or sandbox.
Review Dimensions
- Purpose & Capability
- okName/description (JustOneAPI Bilibili relation stats) aligns with required artifacts: node runtime and JUST_ONE_API_TOKEN. The token is the expected credential for the advertised API; no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and the included bin/run.mjs limit actions to building the request and calling https://api.justoneapi.com/api/bilibili/get-user-relation-stat/v1 with query params token and wmid. The instructions do not request reading other files, system state, or unrelated environment variables.
- Install Mechanism
- okThere is no external install step or network download; the skill is instruction-only with a small local Node script. Nothing is pulled from arbitrary URLs or installed to the system.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and it's the declared primary credential. The number and nature of environment variables are proportional to the documented API usage.
- Persistence & Privilege
- okalways:false and no special persistence or system-wide configuration changes are requested. The skill does not modify other skills or agent settings.