Skillv1.0.0

ClawScan security

TikTok User Profile API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 30, 2026, 9:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it only requires a JustOneAPI token and node, calls JustOneAPI's TikTok user-detail endpoint, and contains only a small helper script that performs that request.
Guidance: This skill appears to do exactly what it says: send your JUST_ONE_API_TOKEN to api.justoneapi.com to fetch TikTok user profile data. Before installing, confirm you trust JustOneAPI and that the token has only the permissions you intend. Note that the helper sends the token as a query parameter (which can be logged by intermediaries or server logs) and prints raw JSON to stdout — avoid pasting the token into chat or public logs. If you need the agent to add a human-readable summary before returning results, be aware the bundled script currently outputs only JSON; you can wrap or modify it if required. Revoke the token if you suspect exposure.

Purpose & Capability: okName/description, declared env var (JUST_ONE_API_TOKEN), and the bundled bin/run.mjs all align: the script builds a GET request to https://api.justoneapi.com/api/tiktok/get-user-detail/v1 and requires a token query parameter. Required binary 'node' is appropriate for the provided script.
Instruction Scope: noteSKILL.md instructs the agent to call the bundled helper and to return a short endpoint-specific summary followed by raw JSON. The helper (bin/run.mjs) prints only the raw JSON to stdout and does not produce the summary text; this is an output-format inconsistency but not a sign of malicious behavior. The SKILL.md does not ask the agent to read unrelated files or env vars.
Install Mechanism: okNo install spec; this is instruction+helper-only and requires no downloads. That is low-risk; the single included JS file is small and readable and does not attempt to write files or execute other downloads.
Credentials: okOnly JUST_ONE_API_TOKEN is required and it is the expected credential for calling JustOneAPI. No unrelated secrets or config paths are requested.
Persistence & Privilege: okalways is false, the skill does not request persistent/system-wide changes, and it does not modify other skills or agent settings.