Back to skill
Skillv1.0.0
ClawScan security
IMDb 'Did You Know' Insights API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 11:15 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent: it only needs a JustOneAPI token and node to call the documented IMDb 'Did You Know' endpoint and its code/instructions match that purpose.
- Guidance
- This skill appears to do exactly what it says: call JustOneAPI's IMDb 'Did You Know' endpoint. Before installing, confirm the JUST_ONE_API_TOKEN is from a trusted JustOneAPI account and that you are comfortable with the token being sent as a query parameter (tokens in URLs can be logged in server logs, proxies, or browser history). Ensure your agent environment provides a compatible Node runtime and that outbound requests to api.justoneapi.com are allowed. Do not paste the token into chat; use the declared env var. If you need stricter privacy, verify whether the API supports Authorization headers rather than query tokens or limit the token's scope in the JustOneAPI dashboard.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) all directly relate to calling JustOneAPI's IMDb endpoint; nothing requested appears unrelated.
- Instruction Scope
- okSKILL.md and bin/run.mjs only instruct the agent to collect the required 'id' parameter and call the documented GET endpoint. The instructions do not read or transmit other files, environment variables, or system configuration beyond the declared token.
- Install Mechanism
- okThere is no external install step or downloads—this is instruction-only with an included Node script (bin/run.mjs). No archive downloads or third-party installers are used.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and it is the primary credential used to authenticate to the stated API. No unrelated secrets or credentials are requested.
- Persistence & Privilege
- okThe skill is not always-on, does not modify other skills or system config, and does not request elevated or persistent privileges.