Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Spread Metrics API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 7:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is a small Node-based wrapper for a single JustOneAPI endpoint and only requests the expected API token and query parameters needed to call that endpoint.
- Guidance
- This skill appears to do exactly what it claims: make a GET to JustOneAPI's Douyin/Xingtu spread metrics endpoint using JUST_ONE_API_TOKEN and a kolId. Before installing, confirm you trust the JustOneAPI service and that the token you provide has limited scope and can be rotated. Do not paste the token into chat; use the declared JUST_ONE_API_TOKEN environment variable. Ensure Node (v18+ recommended for global fetch) is available in the runtime. If you need stronger assurance, verify the skill publisher identity and test with a limited-permission token.
Review Dimensions
- Purpose & Capability
- okName/description match the requested artifacts: the skill targets JustOneAPI's Douyin/Xingtu spread-metrics endpoint and only requires node and JUST_ONE_API_TOKEN, which are appropriate for this purpose.
- Instruction Scope
- okSKILL.md instructs the agent to collect kolId and pass the token; run.mjs only builds a request to the documented endpoint, validates required params, and prints the JSON response. There are no instructions to read unrelated files or environment variables.
- Install Mechanism
- okThis is instruction-only with a small runtime script (no install spec). Requiring 'node' to run bin/run.mjs is proportional and expected; there are no downloads or extracted archives.
- Credentials
- okOnly JUST_ONE_API_TOKEN is requested (declared as primary). No other secrets, config paths, or unrelated credentials are required or referenced.
- Persistence & Privilege
- okalways is false and the skill does not request permanent system presence or modify other skills or system-wide settings. It only uses the provided token at call time.