Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Creator Link Metrics API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 4:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (JUST_ONE_API_TOKEN) align with its stated purpose of calling the JustOneAPI endpoint for Douyin Creator Marketplace link metrics.
- Guidance
- This skill appears to do exactly what it claims: run a small Node script that calls JustOneAPI's Douyin endpoint using JUST_ONE_API_TOKEN. Before installing, confirm you trust api.justoneapi.com and that the token you provide is intended for this service. Note: the helper places the token in the request query string (token=<value>), which can be logged by clients, proxies, or servers — prefer using a token with limited scope or rotation if possible. Ensure 'node' is available on the runtime environment. Avoid pasting the token into chat or logs as the SKILL.md advises.
Review Dimensions
- Purpose & Capability
- okName and description match the manifest, SKILL.md, and bin/run.mjs. The skill only needs node and JUST_ONE_API_TOKEN to call GET /api/douyin-xingtu/get-kol-link-info/v1, which is proportional to the stated function.
- Instruction Scope
- okSKILL.md instructs running the included node script with the token and kolId. The runtime instructions and the script only read provided arguments and the token; they do not reference other files, system state, or unrelated secrets.
- Install Mechanism
- okNo install spec; this is an instruction-only skill that provides a small Node helper. There is no external download or archive extraction. The only runtime dependency is a 'node' binary, which is reasonable.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. That matches the API's need for authentication and there are no unrelated environment variables or config paths requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system configuration.