Back to skill
Skillv1.0.0
ClawScan security
Douyin (TikTok China) User Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 7:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and required token align with its stated purpose (calling JustOneAPI's Douyin user search endpoint); nothing in the package asks for unrelated credentials or elevated privileges.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI's Douyin user-search endpoint. Before installing: (1) confirm you trust JustOneAPI and are comfortable sending queries and data to api.justoneapi.com; (2) provide a scoped/rotatable JUST_ONE_API_TOKEN and avoid using long-lived broad-permission keys; (3) be aware the token is passed in the URL query string (may be logged by proxies or servers) — if this is a concern ask the provider about header-based auth; (4) review privacy/compliance implications of sending search keywords or account identifiers to a third-party API. If you do not trust the token issuer or need stricter logging controls, do not install or use the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description match the actual behavior: the included Node script calls https://api.justoneapi.com/api/douyin/search-user/v2. Requiring the node binary and JUST_ONE_API_TOKEN is proportional to the stated goal.
- Instruction Scope
- okSKILL.md instructs the agent to run the provided bin/run.mjs with an operation, token, and query parameters. The instructions ask the agent to request missing parameters and to avoid pasting tokens in chat; they do not instruct collecting unrelated files, environment variables, or system state.
- Install Mechanism
- okNo install spec or remote downloads are present. This is an instruction+helper-script skill that relies on an existing node runtime; no archives or external installers are fetched or executed.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate. Note: the token is sent as a query parameter (token=<value>), which can be logged by intermediaries or servers; consider this when sharing/issuing the token and prefer scope-limited tokens.
- Persistence & Privilege
- okalways is false (not forced into every agent), and the skill does not request system-wide configuration changes or other skills' credentials. The default ability for the agent to invoke the skill autonomously is set to platform defaults and is not a special privilege here.