Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Creator Profile API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 9:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (JUST_ONE_API_TOKEN) align with its stated purpose (calling a JustOneAPI Douyin/Xingtu endpoint) and do not request unrelated access.
- Guidance
- This skill appears to be a straightforward JustOneAPI wrapper. Before installing: ensure you trust api.justoneapi.com and are comfortable providing JUST_ONE_API_TOKEN (the skill sends it as the API query token). Do not paste the token into chat or logs; follow the SKILL.md guidance to pass it via the environment when invoking the script. Confirm you have a compatible Node runtime and that network access to api.justoneapi.com is acceptable for your environment.
Review Dimensions
- Purpose & Capability
- okName/description declare a single JustOneAPI endpoint and the skill requires only node and JUST_ONE_API_TOKEN. The required token and node binary are proportional and expected for an API wrapper.
- Instruction Scope
- okSKILL.md and bin/run.mjs only instruct the agent to collect the oAuthorId and call the documented endpoint on api.justoneapi.com; they do not reference unrelated files, system paths, or additional environment variables.
- Install Mechanism
- okNo install spec (instruction-only) and included code is a small, readable Node script that issues an HTTP request; nothing is downloaded from untrusted URLs or written to unexpected locations.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and it is used as the API query token for JustOneAPI. No unrelated credentials or high-privilege environment access are requested.
- Persistence & Privilege
- okalways is false, the skill does not modify other skills or system configuration and does not request permanent presence or elevated privileges.