Back to skill
Skillv1.0.0
ClawScan security
IMDb Top Cast and Crew API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 10:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token align with its stated purpose (calling JustOneAPI's IMDb top cast-and-crew endpoint); nothing requests unrelated credentials, surprising installs, or hidden behavior.
- Guidance
- This skill is a small Node wrapper around JustOneAPI's documented endpoint and appears coherent. Before installing, ensure you trust the JustOneAPI token provider (JUST_ONE_API_TOKEN) and are comfortable granting the skill the ability to make outbound requests to api.justoneapi.com. Avoid pasting your token into chat logs; use platform-provided secret storage where available.
Review Dimensions
- Purpose & Capability
- okName/description (IMDb Top Cast and Crew via JustOneAPI) match the actual behavior: a small Node CLI that performs a GET against https://api.justoneapi.com/api/imdb/title-top-cast-and-crew/v1. Required binary (node) and the JUST_ONE_API_TOKEN credential are appropriate for this purpose.
- Instruction Scope
- okSKILL.md and bin/run.mjs narrowly instruct the agent to collect the 'id' input and call the documented endpoint. There are no instructions to read other files, env vars, or to transmit data to unrelated endpoints. The token is passed only to the declared API.
- Install Mechanism
- okNo install spec; this is an instruction/utility script that requires an existing Node runtime. No downloads, archives, or third-party installers are invoked.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is the declared primary credential. No unrelated secrets or config paths are requested. The code uses the token only as a query parameter to the documented API.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system configs, and has no persistent install steps. Autonomous invocation is the platform default and is not combined with other concerning flags.