Skillv1.0.0

ClawScan security

Douyin Creator Marketplace (Xingtu) Author Commerce Spread Info API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 7:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a simple wrapper for a JustOneAPI endpoint that only requires Node and a JustOneAPI token; its files and instructions are consistent with that purpose.
Guidance: This skill is a thin wrapper around the JustOneAPI endpoint and only needs your JUST_ONE_API_TOKEN. Before installing, confirm you trust JustOneAPI and that the token has only the permissions you expect. Avoid pasting tokens into chat or logs. Prefer providing the token via a secure environment variable rather than typing it directly on a shared command line, because command-line arguments (e.g., --token) can be visible to other local users/processes on some systems. Monitor token usage and be ready to revoke the token if you see unexpected activity.

Review Dimensions

Purpose & Capability: okName/description match the implementation: the skill calls GET /api/douyin-xingtu/get-author-commerce-spread-info/v1 on api.justoneapi.com. Declared requirements (node binary and JUST_ONE_API_TOKEN) are appropriate and necessary for the stated function.
Instruction Scope: noteSKILL.md and bin/run.mjs instruct calling the specific endpoint and only require kolId and the API token. The script does not reference unrelated files, paths, or extra environment variables. Minor note: the token is passed as a CLI argument (--token), which can be visible to other local users/processes on some systems (see guidance).
Install Mechanism: okThere is no install spec or external downloads; this is an instruction-only skill with a small included node script. Nothing is fetched from arbitrary URLs or written to system locations.
Credentials: okOnly JUST_ONE_API_TOKEN is required and is the documented primary credential for the JustOneAPI service. No unrelated secrets or multiple credential sets are requested.
Persistence & Privilege: okSkill does not request always:true, does not modify other skills or system-wide settings, and is user-invocable. It has normal, limited presence and no elevated privileges.