Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Creator Profile API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 4:00 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token are consistent with its stated purpose (calling JustOneAPI's Douyin/Xingtu get-kol-info endpoint); nothing in the package requests unrelated credentials or installs arbitrary code.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI's Douyin/Xingtu creator-profile endpoint. Before installing: (1) confirm JUST_ONE_API_TOKEN is scoped only to JustOneAPI and rotate it if you suspect exposure; (2) be aware the token is sent as a URL query parameter (this can be logged or leaked via referer headers) — if you need stronger protection, ask the provider for header-based auth or scoped tokens; (3) ensure Node is available in the runtime environment; (4) run the script in a controlled environment first and inspect network requests if you want to verify behavior; and (5) do not paste the token into chats or public logs.
Review Dimensions
- Purpose & Capability
- okName and description match the implementation: the included run.mjs calls GET /api/douyin-xingtu/get-kol-info/v1 on https://api.justoneapi.com and requires JUST_ONE_API_TOKEN. Requiring node and a JustOneAPI token is appropriate for this API wrapper.
- Instruction Scope
- noteSKILL.md is focused on invoking the single API operation and instructs the agent to collect only the required kolId parameter. One noteworthy behavior: the implementation sends the API token as a query parameter (token) in the URL, which can make the token appear in logs, referer headers, or server logs — a privacy/leakage consideration, though not inconsistent with the skill's purpose.
- Install Mechanism
- okNo install spec or external downloads; this is instruction-only with a small bundled Node script. No archives or third-party packages are fetched during install.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required (declared as the primary credential), which is proportional to the skill. As noted above, the token is passed in the query string; users should be aware of possible token exposure in logs or referer headers.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request system-wide configuration changes or additional privileges. It does not attempt to modify other skills or persist beyond its own files.