Back to skill
Skillv1.0.0
ClawScan security
Kuaishou Share Link Resolution API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 12:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it implements a single JustOneAPI GET endpoint, requires only a JustOneAPI token and node, and the code matches the documented behavior.
- Guidance
- This skill is a small, focused wrapper around JustOneAPI's Kuaishou share-link resolution endpoint. Before installing: ensure you trust the JustOneAPI service (api.justoneapi.com), have a token with minimal scope, and are comfortable that the token will be sent to that domain (note the token is sent as a query parameter which may be recorded in logs). The skill requires a local node runtime to run the included script but does not download external code during install. If you later revoke access, rotate the JUST_ONE_API_TOKEN. If you need stronger secrecy, verify whether the API supports passing the token in a header instead of a query parameter.
Review Dimensions
- Purpose & Capability
- okName/description match the artifacts: the manifest, SKILL.md, and bin/run.mjs all target GET /api/kuaishou/share-url-transfer/v1. Required binary (node) and JUST_ONE_API_TOKEN are appropriate for this API wrapper.
- Instruction Scope
- okSKILL.md limits runtime actions to calling the JustOneAPI endpoint, asking for the shareUrl if missing, and returning the result. It does not instruct reading other files, system paths, or unrelated environment variables.
- Install Mechanism
- okNo install spec; the skill is instruction + a small local script (bin/run.mjs). Nothing is downloaded from third-party URLs and no extract/install steps are present.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required (primary credential) which is proportional. Note: the script sends the token as a query parameter per the OpenAPI definition; query parameters can be exposed in logs or referrers, so consider token risk and token scope/rotation policies.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills/config. Autonomous invocation is permitted by default but not a unique risk here.