Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Audience Distribution API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 9:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper around JustOneAPI's Douyin/Xingtu audience-distribution endpoint and its requirements (node + JUST_ONE_API_TOKEN) match the stated purpose.
- Guidance
- This skill appears coherent: it simply calls JustOneAPI's Douyin/Xingtu endpoint and requires your JUST_ONE_API_TOKEN. Before installing, confirm you trust JustOneAPI (https://api.justoneapi.com) and that the token has appropriate (least-privilege) scope. Keep the token secret (follow the SKILL.md advice: don’t paste tokens into chat or logs). If you want extra assurance, review the included bin/run.mjs locally (it only builds a URL and issues a fetch) and ensure your Node version supports top-level await; you can also monitor outgoing requests while running to verify they go only to api.justoneapi.com.
Review Dimensions
- Purpose & Capability
- okName, description, and requested artifacts line up: the skill calls https://api.justoneapi.com for a Douyin Creator Marketplace audience-distribution endpoint and requires only node and JUST_ONE_API_TOKEN, which are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and the runtime script only instruct constructing a GET request with query params (token, kolId, optional acceptCache). There are no instructions to read unrelated files, environment variables, or to exfiltrate data to other endpoints.
- Install Mechanism
- okNo install spec (instruction-only). A small local Node script (bin/run.mjs) is included; it formats query params and performs a fetch to the declared baseUrl. No external downloads or archive extraction are used.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is used as the API token query parameter. No unrelated credentials or config paths are requested.
- Persistence & Privilege
- okSkill is not forced-always, does not request persistent elevated privileges, and does not modify other skills or system-wide settings.