Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) KOL Content Keyword Analysis API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 4:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it calls JustOneAPI to fetch Douyin (Xingtu) KOL keyword data, requires only node and a JustOneAPI token, and its files and instructions match that purpose.
- Guidance
- This skill appears to do only what it says: call JustOneAPI to fetch Douyin/Xingtu KOL keyword data. Before installing, verify you trust https://api.justoneapi.com and that the JUST_ONE_API_TOKEN you provide has only the minimum required scope. Be aware the helper sends the token as a URL query parameter (not an Authorization header), which can expose the token in logs or referer headers — avoid using long-lived or highly privileged keys if you can. Do not paste your token into chat or public places; rotate it if you suspect it was logged or leaked. If you need stricter token handling (e.g., header-based auth), review/modify the script to use an Authorization header instead.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the code calls https://api.justoneapi.com for the documented Douyin Creator Marketplace endpoint. Required items (node binary and JUST_ONE_API_TOKEN) are appropriate and proportional to the stated purpose; no unrelated credentials or binaries are requested.
- Instruction Scope
- noteSKILL.md instructs the agent to run bin/run.mjs with --token and --params-json. That stays within scope (fetching endpoint data). Note: the implementation sends the API token as a query parameter (operation parameter named 'token'), which can cause tokens to appear in URL logs or referrers — consider whether that exposure is acceptable.
- Install Mechanism
- okThere is no install spec (instruction-only) and the included code is a small Node script; nothing is downloaded from external URLs or extracted. Risk from install mechanism is minimal, assuming node is trusted on the host.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate. However, the token is passed to the API as a query parameter by the helper, increasing risk of accidental leakage (e.g., HTTP logs, proxies). No other secrets or unrelated env vars are requested.
- Persistence & Privilege
- okThe skill does not request permanent/always-on inclusion and doesn't modify other skills or system configs. It runs on demand and only performs outbound requests to the documented API host.