Back to skill
Skillv1.0.0
ClawScan security
Douyin Creator Marketplace (Xingtu) Creator Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 4:04 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, coherent wrapper around JustOneAPI's Douyin/Xingtu creator-search endpoint and only requires a single service token and node to run.
- Guidance
- This skill appears to be a thin, local Node CLI wrapper around JustOneAPI's Douyin/Xingtu creator-search endpoint and only needs your JUST_ONE_API_TOKEN. Before installing: (1) confirm you trust JustOneAPI (https://api.justoneapi.com) because the token will be sent to that domain; (2) be aware the token is attached as a query parameter (it can appear in logs or referer headers) — if this is a concern, contact the API provider for alternatives; (3) review the bundled bin/run.mjs (it is short and readable) before use; and (4) only provide the token to skills you trust. Overall the skill is internally consistent and proportional to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the implemented behavior: the code constructs a GET to https://api.justoneapi.com/api/douyin-xingtu/... and exposes the documented query parameters. Required items (node, JUST_ONE_API_TOKEN) are appropriate for this purpose.
- Instruction Scope
- noteSKILL.md and bin/run.mjs only build a query to the JustOneAPI endpoint and return JSON. The script requires the token and any query params; it does not read other files or environment variables. Note: the token is sent as a query parameter (not an Authorization header), which can cause the token to appear in logs or referer headers—this is a protocol choice by the skill/backend, not hidden behavior.
- Install Mechanism
- okNo external install/downloads or remote installers are used. The skill is instruction-only with a bundled Node script (bin/run.mjs) that runs locally—no arbitrary remote code fetches or URL-based installers detected.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. That single token is proportional to calling an external API; no unrelated credentials or config paths are requested.
- Persistence & Privilege
- okalways:false (not force-included). The skill does not modify other skills or system-wide settings and does not request persistent elevated privileges.