Back to skill
Skillv1.0.0
ClawScan security
Taobao and Tmall Product Details API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 6:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and bundled code are consistent with its stated purpose (calling JustOneAPI Taobao/Tmall item-detail endpoints) and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears coherent: it only needs node and JUST_ONE_API_TOKEN to call JustOneAPI endpoints and the included script simply fetches JSON and prints it. Before installing, verify you trust JustOneAPI and the skill publisher, and ensure the token you provide has only the permissions you intend. Be aware the token is sent as a query parameter (which can be logged or leaked by proxies); avoid pasting the token into chats or logs. If you require stricter token handling, prefer an API that accepts tokens in Authorization headers or request that the skill be updated to use headers instead of query params.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill calls 5 versioned get-item-detail endpoints on api.justoneapi.com. Required binary (node) and required env var (JUST_ONE_API_TOKEN) align with making authenticated HTTP calls to that API.
- Instruction Scope
- okSKILL.md and the provided bin/run.mjs are narrowly scoped: they require an operation, itemId, and the JUST_ONE_API_TOKEN, build a request to the documented endpoint, and print the JSON response. The instructions do not read other files, probe system state, or send data to additional endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only deployment). A small helper script is included but no external downloads or archive extraction are performed. Risk from installation is minimal.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required and it is the expected credential for the JustOneAPI service. Note: the script injects the token as a query parameter (token=...) rather than an Authorization header, which can expose the token in logs, proxies, or referer headers—consider this when deciding to reuse a sensitive token.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system privileges or modify other skills. It runs only when invoked and only performs outbound HTTP requests to the stated baseUrl.