Back to skill
Skillv1.0.0
ClawScan security
Kuaishou User Profile API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested token are consistent with its stated purpose of calling JustOneAPI's Kuaishou user-profile endpoint.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI's Kuaishou get-user-detail endpoint. Before installing, confirm you trust JustOneAPI and are comfortable providing JUST_ONE_API_TOKEN (the token is sent as a query parameter to api.justoneapi.com). Do not paste the token into chat; use the environment variable as instructed. Note the included Node script prints raw JSON to stdout and exits on error. Ensure your Node runtime supports fetch or run in an environment where node's global fetch is available. If you need stronger guarantees, review the included bin/run.mjs source locally and test with a throwaway token or in an isolated environment.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill only needs node and JUST_ONE_API_TOKEN to call https://api.justoneapi.com/api/kuaishou/get-user-detail/v1 with a userId. No unrelated credentials or binaries are requested.
- Instruction Scope
- okSKILL.md and bin/run.mjs limit actions to building the request, injecting the provided token, validating required params, calling the documented endpoint, and printing the JSON response. There are no instructions to read other files, system state, or to send data to third parties.
- Install Mechanism
- okNo install spec or remote downloads. The skill is instruction-only plus a small local Node script; it requires node to be present. Nothing is written to disk beyond the included files.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. The token is used only to populate the API's 'token' query parameter; no other secrets or environment variables are requested.
- Persistence & Privilege
- okThe skill is not always-enabled, does not request persistent system-wide privileges, and does not modify other skills or global config. Autonomous invocation is allowed by default but is typical and not combined with other red flags.