Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Author Commerce Seeding Base Info API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 7:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it wraps a single JustOneAPI GET endpoint, requires only Node and a single JUST_ONE_API_TOKEN, and the included code only performs the documented HTTP request and prints the JSON result.
- Guidance
- This skill appears to do exactly what it claims: call a single JustOneAPI endpoint and return JSON. Before installing, consider: 1) The skill requires node and a JUST_ONE_API_TOKEN—only provide a token you are comfortable giving to this API provider. 2) The helper sends the token as a query parameter (visible in URLs/logs); if possible use a scoped token or verify with JustOneAPI whether token-in-query is recommended. 3) Review JustOneAPI’s trustworthiness and dashboard (links are provided in SKILL.md) and rotate/revoke the token if you stop using the skill. 4) The included script does not read files or other environment variables, and there are no remote installs, so mechanical risk is low.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior. The skill only implements a single GET operation for JustOneAPI's Douyin/Xingtu endpoint and requires JUST_ONE_API_TOKEN and node, which are appropriate for this purpose.
- Instruction Scope
- noteSKILL.md and bin/run.mjs instruct the agent to collect the required parameter (oAuthorId) and call the documented endpoint. One noteworthy point: the operation expects the API token as a query parameter (params.token) which the helper injects from --token; passing tokens in URL/query strings can increase exposure via logs or intermediaries. The SKILL.md warns not to paste tokens into chat but does not call out URL/logging exposure.
- Install Mechanism
- okThere is no install spec and no remote downloads; the bundle includes a small node script (bin/run.mjs). The only runtime requirement is the node binary. This is low-risk and proportionate.
- Credentials
- noteThe skill requests a single credential JUST_ONE_API_TOKEN (declared as primaryEnv) which directly maps to the documented API authentication. This is proportionate. As noted, the token is sent as a query parameter by the endpoint, which can be more easily leaked (logs, referers) than header-based auth—consider using scoped tokens or verifying the provider's recommended auth method.
- Persistence & Privilege
- okalways is false and the skill does not persist or modify other skills or system configuration. It does not write files or request elevated privileges.