Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Video Distribution API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 8:00 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it simply calls a JustOneAPI Douyin/Xingtu endpoint and only requires the JUST_ONE_API_TOKEN and node to run.
- Guidance
- This skill appears to do exactly what it claims: it runs a small Node helper that calls JustOneAPI's Douyin/Xingtu endpoint and requires JUST_ONE_API_TOKEN. Before installing: (1) Confirm you trust api.justoneapi.com and the Just One API service; (2) Be aware the token is sent as a query parameter (URLs can be logged by servers, proxies, browser history), so prefer short-lived tokens or rotate the token if compromised; (3) Do not paste the token into chats or logs — provide it via environment variable as instructed; (4) Inspect the included bin/run.mjs (already present) if you want to verify there are no extra behaviors; and (5) If you allow autonomous invocation, remember the agent could call this API without an explicit prompt — restrict token scope/permissions accordingly.
Review Dimensions
- Purpose & Capability
- okThe name/description state it will call GET /api/douyin-xingtu/.../author_video_distribution/v1 on JustOneAPI; the code and SKILL.md implement exactly that. Required binary (node) and required env var (JUST_ONE_API_TOKEN) are coherent with the stated purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to ask for oAuthorId and run the local helper; the helper only builds an HTTP GET to api.justoneapi.com and returns JSON. The skill does not read other files or unrelated env vars. Note: the token is passed as a query parameter (operation defines a required 'token' query param and the helper injects the CLI token into query params) — tokens in URLs can be exposed in logs or proxies, so consider that privacy implication.
- Install Mechanism
- okNo install spec or remote downloads; this is effectively an instruction-only skill with a small included Node helper (bin/run.mjs). Nothing in the install footprint writes arbitrary external code to disk or fetches from untrusted URLs.
- Credentials
- noteThe only required environment variable is JUST_ONE_API_TOKEN, declared as the primary credential — this matches the API usage. As above, the token is sent in the query string which has higher exposure risk than an Authorization header; otherwise the credential request is proportionate.
- Persistence & Privilege
- okalways is false and there are no requests to modify other skills or global agent settings. The skill can be invoked autonomously (default for skills) but it does not request permanent elevated presence.