Skillv1.0.0

ClawScan security

Douban Movie Review Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 23, 2026, 5:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and behavior match its stated purpose: it calls a JustOneAPI Douban review-detail endpoint using JUST_ONE_API_TOKEN and a reviewId; nothing in the files indicates unrelated or excessive access.
Guidance: This skill appears to do exactly what it claims: call JustOneAPI to fetch Douban review details. Before installing, ensure your JUST_ONE_API_TOKEN is a token you trust with this single vendor (rotate/revoke if compromised). Be aware the token is passed in the URL query string — it can be recorded in server logs, proxy logs, or appear in Referer headers — so avoid sharing the token elsewhere and prefer tokens with limited scope. Confirm your runtime Node version supports fetch (Node 18+ or polyfill) and review JustOneAPI's privacy/retention policy if you care about how queries are logged. Finally, only install skills from publishers you trust; the package source here is 'unknown' and points to justoneapi.com as the endpoint.

Purpose & Capability: okName and description match the code and SKILL.md. The skill only requires node and JUST_ONE_API_TOKEN which are consistent with running the included Node helper that calls JustOneAPI's endpoint.
Instruction Scope: noteSKILL.md and bin/run.mjs limit actions to building an HTTPS request to https://api.justoneapi.com and returning the JSON response. One noteworthy point: the API token is sent as a query parameter (parameter name 'token'), which means the token will appear in the request URL and could be exposed in logs, proxy traces, or Referer headers. The skill does not read other environment variables, user files, or unrelated system state.
Install Mechanism: okThere is no install spec; this is effectively an instruction + helper script. The helper is a small Node script included in the package — no external downloads or installers are performed.
Credentials: okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. This is proportional to the task of authenticating to JustOneAPI. No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request permanent inclusion (always is false) and does not modify other skills or system configs. It runs as an on-demand helper and does not persist credentials beyond using the provided token for the HTTP call.