Back to skill
Skillv1.0.0
ClawScan security
Kuaishou Video Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token match its stated purpose (calling JustOneAPI to fetch Kuaishou video details); nothing requested is unrelated or excessive.
- Guidance
- This skill appears coherent and only needs your JustOneAPI token and node to run the included helper. Before installing: (1) confirm you trust the JustOneAPI service and the token provider URL shown in SKILL.md; (2) be aware the script sends your token as a URL query parameter (tokens in URLs can appear in logs or proxies) — if you prefer, ask the provider whether an Authorization header is supported; (3) ensure the runtime has a recent Node version (global fetch is used); and (4) never paste the token into chat or screenshots as the skill itself advises.
Review Dimensions
- Purpose & Capability
- okName/description require a JustOneAPI token and node to run a small helper that calls GET /api/kuaishou/get-video-detail/v2 — the declared env var (JUST_ONE_API_TOKEN) and node binary are appropriate and expected for this API-focused skill.
- Instruction Scope
- noteSKILL.md and bin/run.mjs only build a URL, inject the provided token, add the videoId, perform an HTTP GET, and print JSON. They do not read local files or other environment variables. One operational note: the token is passed as a query parameter (token=...), which can be logged in server logs or intermediary proxies; the skill warns users not to paste tokens into chat but does not use an Authorization header.
- Install Mechanism
- okNo install script or external downloads. This is an instruction-only skill with an included node script (bin/run.mjs). Nothing is fetched from arbitrary URLs or written to disk beyond running the bundled script.
- Credentials
- okOnly JUST_ONE_API_TOKEN is required (declared as primaryEnv). No other credentials, config paths, or unrelated environment variables are requested.
- Persistence & Privilege
- okSkill is not always-enabled; it is user-invocable and may be invoked autonomously (platform default). It does not modify other skills or request persistent system privileges.