Skillv1.0.0

ClawScan security

JD.com Product Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 4:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, requirements, and runtime instructions are consistent with its stated purpose of calling JustOneAPI's JD.com product-details endpoint and request only the expected token and itemId inputs.
Guidance: This skill appears to do exactly what it says: it requires node and JUST_ONE_API_TOKEN and will call JustOneAPI's JD item-detail endpoint with itemId and token as query params. Before installing, be aware: (1) the token is passed as a query parameter (common for some APIs) which can be exposed in logs or URLs — treat the token like a secret and use a scoped/revocable token when possible; (2) the helper prints the raw JSON response to stdout unredacted, so avoid running it in contexts where stdout is captured or logged publicly; (3) SKILL.md asks the agent to produce a short human summary before the raw JSON, but the included script only prints JSON — the agent must be responsible for adding that summary. If those conditions are acceptable, the skill is coherent with its stated purpose.

Purpose & Capability: okName/description, required binary (node), and the single required env var (JUST_ONE_API_TOKEN) match the implemented behavior: a small Node CLI that issues an HTTP GET to https://api.justoneapi.com/api/jd/get-item-detail/v1 with itemId and token as query parameters.
Instruction Scope: noteSKILL.md instructs the agent to request missing itemId values and to present a short endpoint-specific summary followed by raw JSON. The included run.mjs implements the HTTP call and prints the JSON response to stdout; it fails when required params (token/itemId) are missing. This is coherent overall, but there is a minor mismatch: the helper prints only the JSON and does not produce the human-readable summary itself — the agent must generate that summary around the helper output.
Install Mechanism: okThere is no install spec and the skill is instruction-plus-a-small-script only. No external downloads or package installs are performed by the skill.
Credentials: okThe sole required credential is JUST_ONE_API_TOKEN (declared as primaryEnv), which directly maps to the API service being called. No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges (always:false). It does not modify other skills or system configuration.