Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Showcase Items API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 7:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, coherent wrapper around JustOneAPI's Douyin/Xingtu endpoint and only requires a single API token and node to call the documented GET endpoint.
- Guidance
- This skill appears to do exactly what it claims: call JustOneAPI's Douyin/Xingtu showcase-items endpoint using JUST_ONE_API_TOKEN. Before installing: (1) Verify you trust https://api.justoneapi.com and the token you obtain (create a scoped/limited token if possible); (2) Prefer passing secrets via a safe mechanism — the provided script expects --token which can expose the secret in process listings and logs, so consider wrapping or modifying the script to read the token from an environment variable or secure file descriptor instead; (3) Run in a least-privileged environment and avoid pasting the token into chat or logs; (4) If you do not trust the publisher, inspect the included bin/run.mjs (which is small and straightforward) or run it in an isolated container; (5) Rotate the token if you suspect exposure.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), required env var (JUST_ONE_API_TOKEN), and included code all align with a thin HTTP client for the documented JustOneAPI endpoint.
- Instruction Scope
- noteSKILL.md instructs running the included node script with --operation and --token and to provide kolId; the runtime does only what the docs describe (builds a URL, adds query params, calls api.justoneapi.com, returns JSON). Note: the script expects the token on the command line (--token), which can expose the token in process listings or logs — a minor operational risk to consider.
- Install Mechanism
- okThere is no installer; this is an instruction-only skill that ships a small Node script. No downloads from third-party URLs, no package installs, and only the standard node binary is required.
- Credentials
- okOnly a single credential (JUST_ONE_API_TOKEN) is requested and it directly maps to the API's required 'token' query parameter. No unrelated credentials, files, or config paths are requested.
- Persistence & Privilege
- okalways:false (default) and the skill does not request system-wide modifications or access to other skills' config. Autonomous invocation is allowed by platform default but is not combined with other elevated privileges.