Back to skill
Skillv1.0.0
ClawScan security
Douyin (TikTok China) Video Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 6:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token align with its stated purpose (calling JustOneAPI to fetch Douyin video details); nothing requests unrelated credentials, installs, or filesystem access.
- Guidance
- This skill appears to do exactly what it says: use your JUST_ONE_API_TOKEN to call JustOneAPI's Douyin video-detail endpoint. Before installing/running: (1) Confirm the token you provide is for JustOneAPI and that you trust that service; the token will be sent to https://api.justoneapi.com. (2) Review the included bin/run.mjs (it is small and readable) and run it in an environment where executing Node is permitted. (3) Do not paste your token into chat or logs; keep it secret. (4) If you have strict network or least-privilege requirements, consider running the script in an isolated environment or with a token scoped minimally for this API. Overall this skill is internally consistent and low-risk for its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (fetch Douyin video details) match the actual behavior: a small CLI wrapper that issues GET to https://api.justoneapi.com/api/douyin/get-video-detail/v2 with token and videoId query parameters. Requiring JUST_ONE_API_TOKEN and node is appropriate for this purpose.
- Instruction Scope
- okSKILL.md instructs running the included bin/run.mjs with explicit parameters and to only use JUST_ONE_API_TOKEN. The instructions do not ask the agent to read unrelated files, other env vars, or send data to unexpected endpoints; they also explicitly warn not to paste the token into chat.
- Install Mechanism
- okThere is no install spec or remote download; the skill is instruction-only plus a small local Node script (bin/run.mjs). No external URLs or archive extraction are used, so install risk is low. Running requires a Node runtime (with fetch available).
- Credentials
- okThe only required environment variable is JUST_ONE_API_TOKEN (declared as primary), which is appropriate and necessary to authenticate to JustOneAPI. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system settings. It is user-invocable and can be used autonomously per platform defaults; this is expected for an API-integration skill.