Back to skill
Skillv1.0.0
ClawScan security
Instagram User Profile API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (JUST_ONE_API_TOKEN) are consistent with its stated purpose of calling JustOneAPI's Instagram get-user-detail endpoint.
- Guidance
- This skill appears to do exactly what it claims: call JustOneAPI's Instagram get-user-detail endpoint using node and your JUST_ONE_API_TOKEN. Before installing, verify you trust JustOneAPI (https://api.justoneapi.com) and that your token's scope/permissions are appropriate. Note the token is sent as a query parameter (and over HTTPS) — query parameters can appear in server logs or proxy logs, so treat the token as sensitive and rotate/revoke it if exposed. Ensure your runtime has a Node version that provides global fetch (Node 18+ or polyfill) or run the script in an environment where node's fetch is available. Finally, avoid pasting the token into chat or logs; pass it via the declared environment variable when invoking the helper.
Review Dimensions
- Purpose & Capability
- okName/description (Instagram user profile via JustOneAPI) match the requested binary (node) and required env var (JUST_ONE_API_TOKEN). The included run.mjs implements exactly the documented GET /api/instagram/get-user-detail/v1 call.
- Instruction Scope
- okSKILL.md and run.mjs are scoped to collecting a single required parameter (username) and an API token and performing an HTTPS request to api.justoneapi.com. The instructions do not ask the agent to read unrelated files, other env vars, or transmit data to any endpoint outside the documented baseUrl.
- Install Mechanism
- okThis is an instruction-only skill with one small JS helper; there is no install spec, no downloads, and nothing written to disk beyond running the provided script. Required binary (node) is appropriate and expected.
- Credentials
- okOnly one credential is required: JUST_ONE_API_TOKEN (declared as primaryEnv). That aligns with the API usage and there are no unrelated or excessive environment variables requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system configs, and does not require persistent privileges beyond running when invoked.