ClawHub

Taobao and Tmall API

v1.0.3

Analyze Taobao and Tmall workflows with JustOneAPI, including product Details, product Reviews, and shop Product List across 9 operations.

0· 29·1 current·1 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared dependency (node), the single required env var JUST_ONE_API_TOKEN, and the included OpenAPI-like operation files; the operations are all GET requests against api.justoneapi.com which fits the described Taobao/Tmall functionality.
Instruction Scope
SKILL.md instructs the agent to use bin/run.mjs to call the JustOneAPI endpoints and to ask users for missing parameters — this stays within the declared scope. Minor caveat: the example invocation includes --token "$JUST_ONE_API_TOKEN" which places the secret on the command line (exposed to process listings or shell histories on some systems); the skill otherwise documents that the token is used only for authenticated requests.
Install Mechanism
No install spec; skill is instruction/CLI-wrapper plus generated OpenAPI files. No downloads or remote installers are requested, lowering install-time risk.
Credentials
Only JUST_ONE_API_TOKEN is required and is the primary credential for the third-party API. This is proportionate to the described functionality. Note: the token is sent as a query parameter to api.justoneapi.com, which is expected but can appear in logs or referrers.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed; it does not request permanent system-wide privileges or other skills' credentials.
Assessment
This skill appears to be a straightforward wrapper around JustOneAPI's Taobao/Tmall endpoints. Before installing: (1) Confirm you trust https://api.justoneapi.com and that the JUST_ONE_API_TOKEN you supply has only the minimum needed permissions. (2) Prefer supplying the token via environment variables (avoid pasting the literal token into chat). Be aware the example CLI places the token on the command line (--token "...") which can expose it to process lists, shell history, or logs — consider modifying usage to read the token from an env var inside the script or from a protected file. (3) Review bin/run.mjs yourself if you want to verify it only calls api.justoneapi.com and does not send data elsewhere. (4) Rotate the token if you later suspect it was exposed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b92h1a3d7f0sq2skbdfmtzs849fjj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments