Back to skill
Skillv1.0.0
ClawScan security
Kuaishou Video Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required token are consistent with a simple wrapper for JustOneAPI's Kuaishou video search endpoint.
- Guidance
- This skill appears to do only what it says: call JustOneAPI's Kuaishou search endpoint. Before installing, confirm you trust JustOneAPI and are comfortable granting a token that can perform searches. Be aware the token is sent as a query parameter (may appear in proxy or server logs) — avoid using high-privilege tokens, rotate tokens if you stop using the skill, and do not paste the token into chats or screenshots. If you need stronger secrecy, request or modify the integration to pass the token in an Authorization header instead of the URL.
Review Dimensions
- Purpose & Capability
- okName and description match the implemented behavior: a small Node CLI that calls GET /api/kuaishou/search-video/v2 on https://api.justoneapi.com. Requiring node and JUST_ONE_API_TOKEN is appropriate for this purpose.
- Instruction Scope
- okSKILL.md and bin/run.mjs limit actions to building the request (keyword, page, token), issuing an HTTP GET, and returning JSON or error payloads. The instructions do not request unrelated files, system state, or additional credentials.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a small included Node script. Nothing is downloaded or written to disk beyond executing the bundled script.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required and declared as the primary credential, which is proportionate. Minor privacy/security note: the script sends the token as a query parameter (token=<value>), which can be exposed in logs or proxy traces—this is a security consideration but does not contradict the skill's stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true or any persistent/system-wide privileges and does not modify other skills or system config. Autonomous invocation is allowed by default (normal).