Back to skill
Skillv1.0.0
ClawScan security
IMDb Plot Summary API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 10:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it calls JustOneAPI's IMDb plot-summary endpoint using a single required API token and a small included Node script; nothing requested or performed is out of scope for the described purpose.
- Guidance
- This skill appears to do only what it says: call JustOneAPI's IMDb plot-summary endpoint. Before installing, confirm you trust https://api.justoneapi.com and that you want to provide JUST_ONE_API_TOKEN. Note that the included script sends the token in the query string (not an Authorization header), which can be logged or leaked via Referer; prefer a scoped/rotatable token and rotate it if you suspect exposure. Ensure Node is available in the runtime, and avoid pasting tokens into chat or public logs.
Review Dimensions
- Purpose & Capability
- okName/description match the code and instructions: the skill calls GET /api/imdb/title-plot-query/v1 on api.justoneapi.com. Required items (node runtime and JUST_ONE_API_TOKEN) are appropriate for that purpose and no unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs instruct the agent to request an `id`, pass the token, call the documented endpoint, and return JSON. The runtime script only constructs the request, performs the fetch, and writes JSON to stdout; it does not read other files, environment variables, or system state.
- Install Mechanism
- okThere is no install spec and the skill is instruction-only aside from a small local Node script (bin/run.mjs). Nothing is downloaded from external URLs or installed automatically, which minimizes installation risk. Node must be present on PATH.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is proportional. One important caveat: the included script sends the token as a query parameter (token=<value>), which can be exposed in logs, server-side request logs, or Referer headers. Users should be aware of this and use a scoped/rotatable token if possible.
- Persistence & Privilege
- okThe skill does not request always:true and makes no modifications to other skills or system settings. It is user-invocable and may be invoked autonomously (platform default), which is expected for this type of skill.