Skillv1.0.0

ClawScan security

Douyin Creator Marketplace (Xingtu) Conversion Analysis API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 24, 2026, 9:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a straightforward wrapper for JustOneAPI's Douyin/Xingtu conversion-analysis endpoint; its requirements (node and JUST_ONE_API_TOKEN) and instructions align with the stated purpose.
Guidance: This skill appears to do exactly what it says: call JustOneAPI's Douyin/Xingtu conversion-analysis endpoint. Before installing or using it, consider: (1) Only provide JUST_ONE_API_TOKEN if you trust https://api.justoneapi.com and its dashboard; (2) the included CLI sends the token as a query parameter, which can be logged by servers or proxies — avoid pasting tokens into chats or screenshots and limit token scope/rotation if possible; (3) ensure your agent environment has a recent Node version that supports fetch; (4) review the JustOneAPI service terms and privacy policy if you will send sensitive IDs; (5) if you need stronger secrecy, prefer a wrapper that sends tokens in an Authorization header instead of the URL. Otherwise, the skill is internally consistent and proportionate.

Review Dimensions

Purpose & Capability: okThe name/description match the code and SKILL.md: a single GET endpoint at api.justoneapi.com. Required binary (node) and the JUST_ONE_API_TOKEN credential are expected for this API wrapper. No unrelated services, binaries, or config paths are requested.
Instruction Scope: noteInstructions are narrowly scoped to prompting for kolId/range and invoking the included Node script. The script performs a network request to the documented baseUrl and does not read local files or other environment variables. Note: the script injects the token as a query parameter (token=<...>), which can expose the token to logs or intermediaries — the SKILL.md warns not to paste tokens in chat, but passing secrets in query strings has inherent logging risk.
Install Mechanism: okNo install spec; this is instruction-plus-CLI code only. Nothing is downloaded at install time. The only runtime requirement is an existing node binary. No external URLs, archives, or package installs are used.
Credentials: noteOnly JUST_ONE_API_TOKEN is required (primary credential) which is proportionate to a third-party API wrapper. Minor concern: the token is sent as a query parameter by the CLI, which increases risk of accidental exposure via logs, proxy logs, or browser/history; the skill does not request additional unrelated secrets.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges, does not set always:true, and does not modify other skills or system settings. It only runs the provided Node script when invoked.