Back to skill
Skillv1.0.0
ClawScan security
Douyin (TikTok China) Video Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 7:17 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it only needs node and a JUST_ONE_API_TOKEN to call the documented JustOneAPI Douyin search endpoint and the included code and instructions match the stated purpose.
- Guidance
- This skill appears to do exactly what it says: call JustOneAPI's Douyin video search. Before installing, confirm you trust JustOneAPI and that the JUST_ONE_API_TOKEN you provide is intended for this use. The token will be sent as a query parameter to https://api.justoneapi.com — avoid pasting the token into chat or public logs. Ensure you have Node (version with global fetch or provide a fetch polyfill) and consider using a token with limited scope/rotation if supported. If you have stricter network or privacy requirements, review JustOneAPI's privacy/security documentation and monitor network requests when first using the skill.
Review Dimensions
- Purpose & Capability
- okName/description match the requested resources. The only required binary is node and the only required env var is JUST_ONE_API_TOKEN, which is appropriate for a thin client that calls JustOneAPI's Douyin search endpoint.
- Instruction Scope
- okSKILL.md and bin/run.mjs limit actions to constructing an HTTP GET to https://api.justoneapi.com/api/douyin/search-video/v4 using provided query params and token. The instructions do not read unrelated files, environment variables, or send data to unexpected endpoints.
- Install Mechanism
- okNo install spec; this is instruction-only with a small bundled Node CLI. Requiring node is reasonable. No downloads from untrusted URLs or archive extraction is present.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is the declared primary credential. The token is used only to populate the request's 'token' query parameter to the documented base URL; no other secrets or unrelated env vars are requested.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system settings. It has normal, bounded runtime behavior and no persistent elevated privileges.