Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Creator Channel Metrics API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 9:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested token are consistent with its stated purpose of calling JustOneAPI to fetch Douyin (Xingtu) creator channel metrics.
- Guidance
- This skill appears to do what it says: a small Node helper calls JustOneAPI to fetch Douyin creator channel metrics and requires JUST_ONE_API_TOKEN. Before installing, confirm you trust JustOneAPI (https://api.justoneapi.com) and are comfortable granting it the token. Be aware the script sends the token as a URL query parameter (can be logged by servers/proxies) — if you prefer less exposure, check whether the provider supports sending tokens in an Authorization header. Ensure Node is available where the skill will run. If you do not want the agent to call the skill autonomously, consider disabling autonomous invocation for this skill in your agent settings.
Review Dimensions
- Purpose & Capability
- okName and description match the included manifest, SKILL.md, and bin/run.mjs. The skill only implements one GET operation to JustOneAPI for Douyin creator channel metrics; requiring JUST_ONE_API_TOKEN and node is coherent with that purpose.
- Instruction Scope
- okSKILL.md and bin/run.mjs only request the required inputs (oAuthorId and the API token) and instruct the agent to call the documented endpoint. There are no instructions to read unrelated files, environment variables, or system state. The SKILL.md explicitly warns not to paste tokens into chat.
- Install Mechanism
- okThere is no install spec (instruction-only skill with a helper script). The bundled bin/run.mjs is a small Node script that makes an HTTPS request to api.justoneapi.com; nothing is downloaded from arbitrary URLs and no archives are extracted.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate for calling the third-party API. Note: the OpenAPI/manifest models the token as a query parameter named 'token', so the script places the token in the request URL query string — this can increase exposure risk through logs, proxies, or referer headers compared to an Authorization header.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent settings. It runs a local Node script (requires node) and does not request permanent presence or elevated privileges.