Skillv1.0.0

ClawScan security

Douyin Creator Marketplace (Xingtu) KOL Content Keyword Analysis API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 9:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it only needs Node and a JustOneAPI token to call a documented JustOneAPI endpoint and its code and instructions match that purpose.
Guidance: This skill appears to do exactly what it says: run a small Node script that calls JustOneAPI's Douyin/Xingtu endpoint using JUST_ONE_API_TOKEN and a kolId. Before installing, consider: 1) Token exposure: the implementation places the token in the URL query string, which can be logged by servers, proxies, or local shells—use a limited-scope token and rotate it if possible. 2) Trust and cost: verify you trust https://api.justoneapi.com (and their pricing/quotas) because the skill will send requests to that host. 3) Runtime environment: ensure node is available and up-to-date (the script uses fetch). 4) Privacy: do not paste token values into chat; follow SKILL.md guidance. If any of these concerns are unacceptable, do not install or use the skill; otherwise it is coherent and proportional to its stated purpose.

Review Dimensions

Purpose & Capability: okThe skill's name/description match the required resources: it calls JustOneAPI's Douyin (Xingtu) endpoint and requires JUST_ONE_API_TOKEN and node. No unrelated credentials, binaries, or configurations are requested.
Instruction Scope: noteSKILL.md instructs the agent to run the included node script with --token and --params-json containing kolId, to ask for missing parameters, and to output a short summary then raw JSON. One noteworthy implementation detail: the token is injected as a query parameter to the API (not an environment-only header), which can increase risk of token exposure via logs or intermediaries. Otherwise the instructions do not request unrelated files, secrets, or system state.
Install Mechanism: okThere is no network install step: the skill ships a small JS script (bin/run.mjs) and is instruction-driven. It requires node to exist on PATH and makes standard network requests to api.justoneapi.com. No downloads from untrusted URLs or archive extraction are present.
Credentials: noteOnly JUST_ONE_API_TOKEN is required and is the declared primary credential, which is appropriate for this API client. As noted above, the token is sent as a query parameter (per the operation parameter definition), which may be logged by servers or proxies; consider using a scoped token and verifying JustOneAPI's token handling if this is sensitive.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges: always is false, no config paths are required, and it doesn't modify other skills or system settings.