Back to skill
Skillv1.0.0
ClawScan security
Douyin E-commerce Item Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 3:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it needs a single JustOneAPI token and node, and its code and instructions simply call JustOneAPI to fetch Douyin item details.
- Guidance
- This skill appears to do what it says: it wraps JustOneAPI to fetch Douyin item details and requires node and a single JUST_ONE_API_TOKEN. Before installing: 1) Verify you trust JustOneAPI (https://api.justoneapi.com) and that the token has only the permissions you need. 2) Be aware the helper sends the token as a query parameter (query strings can be logged by proxies/servers); if that is a concern, ask the provider for a header-based auth option. 3) Because the skill can be invoked autonomously, avoid supplying high-privilege tokens unless you accept the risk; consider creating a limited-scope token and rotating it if you stop using the skill. 4) Review network traffic policy and privacy terms of JustOneAPI if you will send sensitive item identifiers. If you want extra assurance, inspect the included bin/run.mjs (provided) — it is small and simply builds a URL, performs fetch, and prints JSON.
Review Dimensions
- Purpose & Capability
- okThe name/description (Douyin item details) match the required artifacts: node as a runtime and JUST_ONE_API_TOKEN as the API credential. The operation uses the JustOneAPI base URL and requests itemId and token, which is expected for this API proxy.
- Instruction Scope
- okSKILL.md and bin/run.mjs only require itemId and the API token and instruct the agent to call the documented endpoint. There are no instructions to read unrelated files, other env vars, or to transmit data to unexpected endpoints.
- Install Mechanism
- okThere is no external install/download step (no remote URLs or extracted archives). A local helper (bin/run.mjs) is included and is self-contained; this is low-risk compared with remote install mechanisms.
- Credentials
- okOnly one credential is required (JUST_ONE_API_TOKEN), which is proportional to an API proxy. Note: the token is sent as a query parameter by the helper, which can be logged by servers and intermediaries — consider this when granting the token.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system settings. It can be invoked autonomously (platform default), which increases blast radius if the token is exposed, but that behavior is expected for skills.