Back to skill
Skillv1.0.0
ClawScan security
Kuaishou Video Comments API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a small, focused wrapper around JustOneAPI's Kuaishou comments endpoint and its declared requirements (node + JUST_ONE_API_TOKEN) match what it actually does.
- Guidance
- This skill is a simple wrapper for JustOneAPI's Kuaishou comments endpoint and asks only for a JustOneAPI token and node. Before installing: ensure you trust api.justoneapi.com and the Just One API service; avoid pasting your token into chat or screenshots; be aware the token is sent as a URL query parameter (which can be logged or leaked via referer headers) — if possible prefer APIs that accept tokens in headers. Test with a limited or disposable token first if you are cautious.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the code calls https://api.justoneapi.com/api/kuaishou/get-video-comment/v1 and requires a JustOneAPI token and node. Nothing required by the skill is unrelated to fetching Kuaishou comments.
- Instruction Scope
- okSKILL.md and bin/run.mjs only instruct calling the documented endpoint, validating required params, and returning JSON. The instructions do not read local files or access unrelated environment variables or endpoints.
- Install Mechanism
- okNo install spec; this is instruction-only with a small included Node script. No remote downloads or archive extraction, and the included code is short and straightforward.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required (declared as primary credential), which is appropriate. Note: the implementation sends the token as a query parameter named 'token' (in the URL), which can be exposed in logs or referer headers — this is a security practice consideration but does not make the requirement disproportionate.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default).