Back to skill
Skillv1.0.0
ClawScan security
Taobao and Tmall Product Search API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 6:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and code are coherent with a simple JustOneAPI Taobao/Tmall search wrapper and only require a single API token and node to run.
- Guidance
- This skill is internally consistent for calling JustOneAPI's Taobao/Tmall search endpoint and only needs a JUST_ONE_API_TOKEN and node. Before installing: (1) Confirm you trust the JustOneAPI service and obtain the token from the official dashboard linked in SKILL.md; (2) Be aware the provided script sends the token as a query parameter and accepts it as a command-line argument — that can expose the token in process listings or logs; avoid pasting tokens into public chat, and consider using tokens with minimal privileges and short TTLs or rotating them if compromised; (3) Review whether you want the agent to be allowed to call external network endpoints (this script makes outbound HTTPS calls to api.justoneapi.com); (4) If you require stricter handling of secrets, prefer a wrapper that reads the token from a protected environment variable or injects it into an Authorization header rather than placing it in the URL/CLI. If you want me to, I can suggest a small code change to send the token as an Authorization header and avoid exposing it in process arguments/URLs.
Review Dimensions
- Purpose & Capability
- okThe name/description match the files and manifest: the skill calls GET /api/taobao/search-item-list/v1 on https://api.justoneapi.com. Required binary (node) and required env var (JUST_ONE_API_TOKEN) are appropriate for this API wrapper.
- Instruction Scope
- noteSKILL.md instructs the agent to run bin/run.mjs with --operation and --token; the runtime code only builds a URL, appends query params (including token), performs a fetch to api.justoneapi.com, and prints the JSON. There is no filesystem reading or other data collection. Note: the token is passed as a command-line argument / query param (see environment_proportionality note).
- Install Mechanism
- okNo install spec; this is instruction + a small local script (bin/run.mjs). No downloads or archive extraction occur. Requiring node at runtime is proportionate.
- Credentials
- noteOnly JUST_ONE_API_TOKEN is required, which is appropriate. However the script expects the token to be passed as a CLI argument and sends it as a query parameter; command-line arguments can be visible to other local users/processes and tokens in URLs may be logged by intermediaries or servers. This is a privacy/security consideration but not an incoherence with the skill's purpose.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system configuration. Its runtime behavior is limited to executing a single outbound HTTPS request to the declared API host.