Back to skill
Skillv1.0.0
ClawScan security
IMDb Extended Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it implements a single IMDb endpoint against JustOneAPI, needs only a JustOneAPI token and node, and its instructions and code match that purpose.
- Guidance
- This skill appears to do exactly what it claims: call JustOneAPI's IMDb extended-details endpoint. Before installing, confirm you trust JustOneAPI and the publisher, because the skill requires your JUST_ONE_API_TOKEN. Note that the token is sent as a query parameter (per the API definition) which can be exposed in logs or URLs—if you have a token scope or rotation policy, consider using a limited-scope token and rotating it. Ensure your runtime node version supports fetch or run the script in an environment where node fetch is available. Avoid pasting the token into chat or logs; supply it via the declared environment variable when invoking the skill.
Review Dimensions
- Purpose & Capability
- okName/description, required env var (JUST_ONE_API_TOKEN), required binary (node), and the included run.mjs script all align with calling JustOneAPI's IMDb endpoint; nothing requested appears unrelated to the stated purpose.
- Instruction Scope
- noteSKILL.md and run.mjs only gather the required 'id' and the token, call the documented JustOneAPI endpoint, and return JSON. Minor note: the API expects the token as a query parameter (the script appends token to the URL), which can increase exposure risk (tokens in query strings may be stored in logs) but is consistent with the included OpenAPI metadata.
- Install Mechanism
- noteNo install spec (instruction-only) which is low risk. There is a runnable bin/run.mjs included and the skill declares node as required — this is coherent. No external downloads or unusual install steps are present.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as primaryEnv; no unrelated credentials or extra environment variables are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/privileged system presence or modify other skills. Autonomous invocation is allowed but is the platform default and not combined with other red flags.