Back to skill
Skillv1.0.0
ClawScan security
Kuaishou User Published Videos API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 4:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required JUST_ONE_API_TOKEN are consistent with its stated purpose of calling JustOneAPI's Kuaishou get-user-video-list endpoint; nothing in the bundle requests unrelated credentials, installs arbitrary code, or attempts to access other system data.
- Guidance
- This skill appears coherent and limited to calling JustOneAPI for Kuaishou video lists. Before installing: (1) ensure JUST_ONE_API_TOKEN is indeed a JustOneAPI credential and you trust that service, (2) be aware the helper sends the token as a query parameter (tokens in URLs can be logged by servers/proxies), (3) confirm you are comfortable allowing outbound network calls to https://api.justoneapi.com, and (4) never paste the token into chat or public logs. If you need stricter security, ask the maintainer to send the token in an Authorization header instead of a query parameter.
Review Dimensions
- Purpose & Capability
- okName/description (fetch Kuaishou user videos) aligns with requirements: node runtime and a single API token (JUST_ONE_API_TOKEN). The only non-token input is userId, which matches the endpoint.
- Instruction Scope
- okSKILL.md instructs the agent to call the included Node helper with the token and userId, to prompt for missing parameters, and to return JSON. It does not instruct reading unrelated files, environment variables, or system state.
- Install Mechanism
- okNo install spec; the skill is instruction + a small included Node script (bin/run.mjs). Requiring the node binary is proportionate and expected.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required and declared as the primary credential. No unrelated secrets, config paths, or additional environment access are requested.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or persistent agent settings. It runs on demand and does not request elevated or permanent presence.