Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Cost Performance Analysis API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 11:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token are consistent with calling JustOneAPI's Douyin Xingtu endpoint; nothing requested or installed is disproportionate to that purpose.
- Guidance
- This skill appears to do exactly what it says: call JustOneAPI's Douyin/Xingtu endpoint with a kolId. Before installing or using it: (1) only provide a JUST_ONE_API_TOKEN obtained from the official JustOneAPI dashboard and supply it via a secure environment variable, not pasted into chat; (2) be aware the token is sent as a query parameter and could appear in server or proxy logs—if you suspect exposure, rotate the token; (3) verify you trust api.justoneapi.com and the token's permissions; (4) since the script runs locally with node, ensure you run it in a safe environment and inspect the small run.mjs file (already reviewed) before executing.
Review Dimensions
- Purpose & Capability
- okName/description map to a single GET endpoint on api.justoneapi.com. Declared requirements (node, JUST_ONE_API_TOKEN) and the bundled run.mjs script only implement that API call; there are no unrelated credentials, binaries, or config paths.
- Instruction Scope
- noteSKILL.md only instructs running the local node script with --operation, --token, and params JSON containing kolId. The bundled script only constructs a URL, performs a fetch, and prints JSON. One operational note: the token is injected as a query parameter (named 'token'), which can expose it in HTTP logs or referer headers—this is a privacy/leakage risk inherent to the endpoint design rather than the skill itself.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a small local script (bin/run.mjs). It does not download external code or modify system files. Requiring the node binary is proportional and expected for executing the bundled script.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required and is the primary credential—this aligns with a third-party API wrapper. As noted above, the token is sent in the query string which may be logged by intermediaries or the API provider; treat the token as sensitive and revoke/regenerate it if accidentally exposed.
- Persistence & Privilege
- okalways is false and there is no indication the skill persists beyond its own files or modifies other skills or system settings. The skill does not request elevated or persistent system privileges.