Back to skill
Skillv1.0.0
ClawScan security
Kuaishou User Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it calls JustOneAPI's Kuaishou user-search endpoint, requires a single API token and node, and its files and runtime behavior align with that purpose.
- Guidance
- This skill appears to do exactly what it claims: call JustOneAPI's Kuaishou user-search endpoint using JUST_ONE_API_TOKEN. Before installing, verify you trust JustOneAPI and the token's permissions. Prefer passing the token via environment variable (the helper already reads a provided --token value but you should avoid embedding secrets in chat or screenshots); be aware that passing secrets as CLI arguments can expose them in process listings or shell history—if this is a concern, consider wrapping the call so the token is supplied via stdin or a secure env var. Also note the helper prints raw JSON; if you need a human-readable summary (as SKILL.md recommends), ensure the agent or calling code formats the output accordingly.
Review Dimensions
- Purpose & Capability
- okName, description, required env var (JUST_ONE_API_TOKEN), required binary (node), and the included run.mjs implementation all match the stated purpose of calling GET /api/kuaishou/search-user/v2 on api.justoneapi.com.
- Instruction Scope
- noteSKILL.md tells the agent to run the bundled node helper and to echo a short summary before returning raw JSON. The helper (bin/run.mjs) performs only the described HTTP GET against api.justoneapi.com and prints the response JSON. Two minor behavioral notes: (1) the helper expects the token passed via the --token CLI argument (which can be visible in process listings on some systems), and (2) the helper prints raw JSON only (it does not itself emit the human-readable operation ID/summary requested by SKILL.md). Neither is evidence of malicious behavior but they affect privacy and agent output formatting.
- Install Mechanism
- okThere is no install script that downloads remote code; the skill is instruction/code-only and requires an existing node binary. No external URLs, extract steps, or package installs are used by the skill itself.
- Credentials
- okThe only required environment value is JUST_ONE_API_TOKEN (declared as the primary credential), which is appropriate for an API client. Note: the run command recommended in SKILL.md passes the token as a CLI argument (--token), which can be exposed in process listings or shell histories on some systems; this is a privacy consideration rather than an incoherence between purpose and requested credentials.
- Persistence & Privilege
- okThe skill does not request persistent or elevated platform privileges. always is false, there are no config paths requested, and the skill does not modify other skills or system-wide settings.