Skillv1.0.0

ClawScan security

Douyin Creator Marketplace (Xingtu) Author Commerce Seeding Base Info API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 7:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is a focused API wrapper for a single JustOneAPI endpoint and its requirements and instructions are consistent with that purpose.
Guidance: This skill appears to be a straightforward wrapper around a JustOneAPI endpoint. If you plan to install it: 1) only provide a JustOneAPI token (JUST_ONE_API_TOKEN) obtained from the official JustOneAPI dashboard; avoid pasting the token in chats or logs; 2) verify you have a recent Node runtime (Node 18+ recommended for native fetch support) before running the bundled script; 3) review the included bin/run.mjs yourself (it's short and readable) to confirm behavior; 4) run it in a limited environment or with a token that has minimal scope, and rotate/revoke the token if you stop using the skill or if you suspect misuse; 5) remember the skill will make outbound network calls to https://api.justoneapi.com, so only use it if you trust that service.

Review Dimensions

Purpose & Capability: okThe skill's name and description match its behavior: it calls a single GET endpoint on api.justoneapi.com. Requiring the node binary and a JUST_ONE_API_TOKEN is appropriate and proportional to running the included Node helper and authenticating to JustOneAPI. There are no unrelated credentials or binaries requested.
Instruction Scope: okSKILL.md instructs the agent to run the included bin/run.mjs with operation, token, and params. The script only builds a URL, sends a GET to the documented baseUrl, parses JSON, and prints results or errors. It does not read other files, access unrelated env vars, or transmit data to unexpected endpoints.
Install Mechanism: okThere is no external install step or downloads. The skill is instruction-only with a small bundled Node script (bin/run.mjs). No archive extraction or third-party package installs occur in the manifest, minimizing install-time risk.
Credentials: okOnly JUST_ONE_API_TOKEN is required and is used to populate the token query parameter. The primaryEnv matches the declared requirement and the script does not reference other secret-like environment variables or config paths.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and contains no code that modifies other skills or system configuration. It runs on demand and does not persist credentials or change agent settings.