Back to skill
Skillv1.0.0
ClawScan security
Bilibili Video Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 4:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill appears to do exactly what it says: call JustOneAPI's Bilibili video search endpoint using a single API token and Node; its requirements and instructions are proportionate and consistent with its purpose.
- Guidance
- This skill is coherent and appears safe to install for its stated purpose. Before installing, note: (1) the skill requires JUST_ONE_API_TOKEN — treat it like any API key and do not paste it into chats; (2) the token is sent as a query parameter by the included script (check your JustOneAPI settings if you prefer tokens in headers for better secrecy/logging posture); (3) verify your JustOneAPI account limits and billing, since calls will consume your quota; and (4) ensure the agent runs Node (modern Node versions include fetch) and that you trust api.justoneapi.com as the backend provider. If you need stricter guarantees, ask the skill author to send auth via Authorization header and avoid including tokens in URLs.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the code calls https://api.justoneapi.com/api/bilibili/search-video/v2. Declared requirements (node, JUST_ONE_API_TOKEN) are exactly what the skill needs to make the API request.
- Instruction Scope
- okSKILL.md only instructs the agent to gather the keyword (and optional paging/sort params), pass the token via the CLI flag, call the documented operation, and return results. There are no instructions to read unrelated files, other env vars, or to transmit data to unexpected endpoints.
- Install Mechanism
- okNo install spec or external downloads are used; this is instruction-only plus a small included Node script (bin/run.mjs). No suspicious installers, archives, or remote code fetches are present.
- Credentials
- okThe only required environment variable is JUST_ONE_API_TOKEN (declared as primary). That single credential is appropriate for calling a third‑party API. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated system presence or modify other skills/config. It permits autonomous invocation (platform default), which is expected for an integration skill.