Back to skill
Skillv1.0.0
ClawScan security
Bilibili Share Link Resolution API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 5:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent: it only needs a JustOneAPI token and node to call JustOneAPI's Bilibili share-link resolution endpoint and its files/instructions match that purpose.
- Guidance
- This skill appears to do exactly what it says: call JustOneAPI to resolve Bilibili share links. Before installing, confirm you trust JustOneAPI and are comfortable with the token's scope because the token (JUST_ONE_API_TOKEN) will be sent to api.justoneapi.com as a query parameter. Keep the token secret (don't paste it into chat or logs) and use an API key with minimal permissions. Ensure the environment where the skill runs has a recent Node version that provides fetch, and verify the JustOneAPI dashboard/terms if you rely on it for production data. If you need stronger isolation, run the helper script in a sandboxed environment or with a token that can be revoked.
Review Dimensions
- Purpose & Capability
- okName and description claim a single job (resolve Bilibili share links). Requested artifacts (node binary) and required environment variable (JUST_ONE_API_TOKEN) are exactly what is needed to call the external JustOneAPI endpoint; no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs only require the shareUrl parameter and the API token and instruct calling https://api.justoneapi.com. The instructions do not request reading local files, other environment variables, or sending data to any endpoints other than the documented JustOneAPI base URL.
- Install Mechanism
- okNo install spec or remote downloads are used; this is an instruction-only skill with an included helper script (bin/run.mjs). Nothing is fetched from third-party URLs at install time, so install risk is minimal.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is directly justified by the need to authenticate to JustOneAPI. No other secrets, tokens, or config paths are requested.
- Persistence & Privilege
- okThe skill is not forced always-on (always: false) and does not request elevated system persistence or modify other skills. It can be invoked autonomously (platform default), which is normal for skills of this type.