Back to skill
Skillv1.0.0
ClawScan security
JD.com Product Comments API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required environment variables align with its stated purpose (calling JustOneAPI's JD.com comments endpoint) and do not request unrelated credentials or perform surprising actions.
- Guidance
- This skill appears coherent with its purpose, but review these practical points before installing: (1) The JUST_ONE_API_TOKEN is sent as a query parameter by the helper — tokens in URLs can be exposed in logs, referer headers, or CLI history; avoid sharing or pasting the token and consider using a token with limited scope/rotation. (2) The helper prints raw JSON to stdout; be careful if you pipe or log outputs as they may contain sensitive data. (3) Verify you trust JustOneAPI (https://api.justoneapi.com) and that the token you provide has only the minimal necessary permissions. (4) Ensure your agent environment has a recent Node installed (fetch is used).
Review Dimensions
- Purpose & Capability
- okName/description match the code and SKILL.md: the skill calls JustOneAPI's GET /api/jd/get-item-comments/v1. Required runtime (node) and the single env var JUST_ONE_API_TOKEN are consistent with this purpose.
- Instruction Scope
- noteSKILL.md and bin/run.mjs instruct running a local node helper that performs an HTTP GET to the documented JustOneAPI endpoint and prints raw JSON. One notable detail: the API token is passed as a query parameter (operation parameter named 'token'), which can expose the token in logs or referer headers — this is an API design choice, not hidden malicious behavior. The skill requests only the itemId and optional page; it does not read other files or env vars.
- Install Mechanism
- okNo install script; this is instruction-only with an included small helper script (bin/run.mjs). No downloads from external URLs or package installs are performed by the skill itself. The only runtime requirement is the node binary.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential, which matches the documented API usage. There are no unrelated or excessive environment variables or config path requirements.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide configuration or modify other skills. It can be invoked autonomously (platform default), which is expected for skills of this type and is not combined with other red flags.