Back to skill
Skillv1.0.0
ClawScan security
IMDb User Reviews Summary API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 10:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required JUST_ONE_API_TOKEN are consistent with its stated purpose of calling JustOneAPI's IMDb user-reviews-summary endpoint.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI. Before installing: ensure the JUST_ONE_API_TOKEN you provide is a JustOneAPI token with appropriate scope and that you trust the service; be aware the token is sent as a query parameter (it can appear in server logs or URL history); ensure your environment has a compatible Node version (Node 18+ for global fetch) if you plan to run the included script locally; and avoid pasting the token into chat or screenshots as the README already advises. If you need extra safety, review the script locally to confirm no additional network calls are made and consider using a short-lived token or proxy when possible.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and required env var (JUST_ONE_API_TOKEN) all align with a small HTTP client that calls JustOneAPI. There are no unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs are limited to building a request to GET /api/imdb/title-user-reviews-summary-query/v1 and printing the JSON response. The instructions only reference the declared env var and the id parameter; they do not read other files or environment variables. Note: the script sends the token as a query parameter (as required by the API manifest), which may be recorded in server logs or URL history.
- Install Mechanism
- okThere is no install spec that downloads external code; the skill is instruction-only with an included Node script. The script contains straightforward request-building logic and does not fetch or execute additional remote code.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and is declared as the primary credential. That single token is proportionate for a REST client to JustOneAPI and is documented in the SKILL.md.
- Persistence & Privilege
- okThe skill is not always-enabled, does not modify other skills or system configuration, and does not request elevated or persistent privileges beyond network access to the API endpoint.