ClawHub

TikTok API

v1.0.5

Analyze TikTok workflows with JustOneAPI, including user Published Posts, post Details, and user Profile across 7 operations.

0· 28·1 current·1 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, declared requirements (node + JUST_ONE_API_TOKEN), SKILL.md, and the included operation manifests all align: this skill calls JustOneAPI TikTok endpoints to return user/posts/comments data. The requested environment variable (JUST_ONE_API_TOKEN) is appropriate for the stated purpose.
Instruction Scope
Runtime instructions are narrow and focused: read operations.md, ask for missing params, and run bin/run.mjs to call the selected endpoint. There is no instruction to read unrelated files or credentials. One operational detail: the SKILL.md shows running node bin/run.mjs with --token "$JUST_ONE_API_TOKEN" (i.e., passing the token on the command line), which can expose the token via process listings or shell history; this is a security/privacy concern in practice even though it doesn't change the skill's claimed purpose.
Install Mechanism
No install spec; instruction-only + a small included Node script (bin/run.mjs). Nothing is downloaded from arbitrary URLs or installed system-wide. Requiring the node binary is proportionate because the helper script is a JS executable.
Credentials
Only one credential is required (JUST_ONE_API_TOKEN) which matches the declared primaryEnv and is necessary for authenticated requests to JustOneAPI. However, the token will be passed as a CLI argument per the SKILL.md/run instructions (and the operations expect a 'token' query param), which increases the risk of accidental exposure on shared systems; consider supplying the token via an environment variable that the script reads directly or via a protected stdin mechanism instead.
Persistence & Privilege
always is false and the skill does not request elevated/persistent system-wide privileges. It includes only its own helper script and generated operation docs and does not modify other skills or system configs.
Assessment
This skill is coherent: it calls JustOneAPI endpoints to fetch TikTok data and legitimately needs JUST_ONE_API_TOKEN and node. Before installing, verify you trust api.justoneapi.com and the skill author. Be cautious about how you supply the token: the provided example passes it as a command-line argument (--token "$JUST_ONE_API_TOKEN"), which can leak the token via process listings or shell history on multi-user systems — prefer methods that avoid exposing secrets on the command line (e.g., let the script read the token from the environment directly or from a protected file/stdin). If you need stronger assurance, inspect the full bin/run.mjs file locally to confirm it only makes requests to https://api.justoneapi.com and does not forward data elsewhere.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ah2c0wqcv2shv8ebrr1ryr58492a3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments