Back to skill
Skillv1.0.0
ClawScan security
Douban Movie Subject Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 3:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill’s code, runtime instructions, and requested credential (JUST_ONE_API_TOKEN) are consistent with its stated purpose of calling JustOneAPI’s Douban subject-details endpoint.
- Guidance
- This skill appears to do what it says: it calls JustOneAPI’s Douban subject-details endpoint and needs JUST_ONE_API_TOKEN and node. Before installing, confirm you trust JustOneAPI and that the token you provide has appropriate (limited) scope. Note the script sends the token as a query parameter — tokens in URLs can be logged by servers or proxies, so avoid using a high-privilege or long-lived secret if possible and rotate/revoke the token when no longer needed. Also verify the token is not pasted into chat/logs and that your agent formats the human-readable summary around the raw JSON response as the SKILL.md requests.
Review Dimensions
- Purpose & Capability
- okName/description match the implemented operation: a small Node helper that calls GET /api/douban/get-subject-detail/v1. Required binary (node) and required env var (JUST_ONE_API_TOKEN) are appropriate for this API client.
- Instruction Scope
- noteSKILL.md instructs the agent to request missing parameters, echo operation ID, summarize results, then return raw JSON. The bundled run.mjs prints only the raw JSON response to stdout (it does not produce a human-readable summary), which is coherent because the agent is expected to format output; ensure the agent provides the summary as instructed. The instructions do not ask the agent to read unrelated files or extra env vars.
- Install Mechanism
- okNo install spec — instruction-only plus a small included Node script (bin/run.mjs). There is no download-from-URL, no additional packages pulled at install time, and no files written by an installer.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required and declared as primaryEnv, which is appropriate. One implementation detail: the script sends the token as a query parameter (token=...), which can increase risk of the token appearing in logs or referrals; consider the token’s scope and lifecycle before reuse.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system changes or modify other skills. Agent autonomous invocation (disable-model-invocation: false) is the platform default and not by itself a problem here.