Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Follower Distribution API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 26, 2026, 9:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required environment variable align with its stated purpose (calling JustOneAPI's Douyin follower-distribution endpoint); nothing requested appears extraneous or inconsistent.
- Guidance
- This skill appears coherent: it simply runs a small Node script to call JustOneAPI's Douyin follower-distribution endpoint and requires JUST_ONE_API_TOKEN. Before installing, verify the token is a JustOneAPI token (from dashboard.justoneapi.com) and understand that the token will be sent to api.justoneapi.com as a query parameter (which can be logged by servers or proxies). Use environment variables (not pasted values) when invoking, consider testing with a limited-scope or non-production token, and ensure the agent runs in an environment where Node is available and outbound HTTPS to api.justoneapi.com is allowed.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) match the skill's purpose of calling JustOneAPI's Douyin follower-distribution endpoint. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs only describe collecting the required parameter (oAuthorId), injecting the provided JustOneAPI token, and making an HTTP GET to api.justoneapi.com. The instructions do not ask the agent to read unrelated files, system state, or forward data to other endpoints.
- Install Mechanism
- okThere is no remote install/download. The skill is instruction-first and ships a small Node script (bin/run.mjs) that is intended to be executed by the agent. No external URLs, archive extraction, or third-party package installs are performed at runtime.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate for this API wrapper. Note: the token is injected as a query parameter (token=<value>) per the manifest/script; query parameters can be logged in transit or by servers and proxies — consider token scope and prefer environment-based invocation rather than pasting tokens into chats.
- Persistence & Privilege
- okThe skill is not always-included, does not request elevated platform privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other concerning permissions.