Back to skill
Skillv1.0.0
ClawScan security
Douban Movie Recent Hot Movie API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 5:52 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested token are consistent with its stated purpose of calling JustOneAPI's Douban 'recent hot movie' endpoint.
- Guidance
- This skill appears to do exactly what's advertised: call JustOneAPI's Douban recent-hot-movie endpoint. Before installing, confirm you trust https://api.justoneapi.com and are willing to give the service the JUST_ONE_API_TOKEN. Note the script sends the token as a query parameter (which can be logged by intermediaries or servers) — prefer a token with limited scope and rotate it if exposure is possible. Ensure node is up-to-date on the host and review the included bin/run.mjs if you want to inspect behavior locally before running.
Review Dimensions
- Purpose & Capability
- okThe skill is a thin wrapper around a single JustOneAPI endpoint. Requiring node and JUST_ONE_API_TOKEN matches the included node script and the API's authentication; no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs only describe/parses CLI args and perform an HTTPS GET to https://api.justoneapi.com/api/douban/get-recent-hot-movie/v1 with the token as a query parameter. The instructions do not direct reading other files, accessing unrelated env vars, or sending data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec; this is instruction-only plus a small included node script. Nothing is downloaded or written to disk at install time by the skill itself.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. That single token is proportional to the stated purpose. No other secrets, config paths, or unrelated environment variables are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not attempt to modify system or other-skill configuration. Default autonomous invocation is allowed (normal) and within expectations for an API integration.