Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Showcase Items API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 25, 2026, 11:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it simply calls a JustOneAPI GET endpoint and only requires a Node runtime and a single JustOneAPI token, which matches the described purpose.
- Guidance
- This skill appears to do exactly what it says: make a GET call to JustOneAPI’s Douyin/Xingtu endpoint using your JUST_ONE_API_TOKEN. Before installing, confirm you trust JustOneAPI and the token you will supply (it will be sent as a query parameter to https://api.justoneapi.com). Keep the token secret (do not paste it into chat or logs). Ensure your Node runtime is recent enough to run the script (Node 18+ recommended for built-in fetch). If you need stricter guarantees, review network egress policies and the API provider’s privacy/billing terms so you understand what data may be fetched and any associated costs.
Review Dimensions
- Purpose & Capability
- okName/description claim a focused API call to JustOneAPI for Douyin (Xingtu) showcase items. The only requested binary (node) and the single required env var (JUST_ONE_API_TOKEN) are appropriate and expected for making that API request.
- Instruction Scope
- okSKILL.md and the runtime script confine actions to collecting required parameters, building the request to https://api.justoneapi.com, and printing the returned JSON. There are no instructions to read unrelated files, other env vars, or to transmit data to unexpected endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only style) and the included bin/run.mjs is a small CLI helper. Nothing is downloaded from arbitrary URLs and no archives are extracted.
- Credentials
- okThe skill requires a single credential (JUST_ONE_API_TOKEN) which is the expected credential to authenticate to JustOneAPI. No unrelated secrets, system config paths, or additional service credentials are requested.
- Persistence & Privilege
- okThe skill is not force-included (always: false) and does not request system-wide modifications or persistent privileges. It does not modify other skills' configs.