Back to skill
Skillv1.0.0
ClawScan security
Instagram Hashtag Posts Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, focused wrapper for JustOneAPI's Instagram hashtag-search endpoint and its code, declared requirements, and instructions align with that purpose.
- Guidance
- This skill appears to do what it says: call JustOneAPI's Instagram hashtag search. Before installing, ensure you trust JustOneAPI and the token you provide: the helper sends the token as a URL query parameter (which can be logged by servers or proxies), so use a token with limited scope and rotate it if possible. Do not paste the token into chat or public logs. If you need stricter secrecy, confirm whether the API supports sending tokens in headers (safer) or consider tooling that avoids exposing credentials in URLs. Otherwise this skill is coherent and proportionate to its stated purpose.
Review Dimensions
- Purpose & Capability
- okName/description (Instagram hashtag posts search) match the requested env var (JUST_ONE_API_TOKEN), required binary (node), endpoint base URL (api.justoneapi.com), and included operation. Nothing requested appears unrelated to the stated purpose.
- Instruction Scope
- okSKILL.md and bin/run.mjs only describe constructing and calling the documented GET endpoint, asking for a 'hashtag' parameter and the API token. They do not request unrelated files, system config, or other credentials. The tool will print raw JSON results after a short summary as documented.
- Install Mechanism
- okNo install spec; this is instruction+small helper script that runs with node. No remote downloads or archive extraction are performed. The single included script is readable and directly implements the HTTP call.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required (primary credential), which is proportionate for calling JustOneAPI. Note: the implementation attaches the token as a query parameter (token=<value>), which can be exposed in logs, referrers, or server access logs — consider token scoping/rotation and the API's recommended auth method.
- Persistence & Privilege
- okThe skill does not request permanent/always-on inclusion and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.