ClawHub
Back to skill
v1.0.0

TikTok Shop Product Details API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:35 AM.

Analysis

The skill matches its stated TikTok Shop product lookup purpose, but its documented command exposes your JustOneAPI token through command-line arguments, so it should be reviewed before use.

GuidanceBefore installing, confirm you trust JustOneAPI and the publisher. The helper appears to call only the advertised product-detail endpoint, but avoid exposing the token through command-line arguments where possible, and rotate the token if it may have appeared in process or command logs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: https://api.justoneapi.com

The registry metadata does not identify a source repository or package provenance, although the included helper code is small and no external install script is present.

User impactYou must rely on the supplied files and the listed provider identity rather than an independently traceable source repository.
RecommendationInstall only if you trust the publisher and JustOneAPI service; prefer skills with clear source provenance when handling credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
node {baseDir}/bin/run.mjs --operation "getTiktokShopProductDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"productId":"<productId>"}'

The documented invocation passes the API token as a command-line argument; after shell expansion, that secret can be visible in process listings or command-line telemetry on the local system.

User impactSomeone with access to local process details or command-line logs could capture the JustOneAPI token and use the API account.
RecommendationPrefer a helper that reads the token directly from an environment variable or stdin rather than argv; if used as-is, run only on trusted machines and rotate the token if it may have been exposed.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
bin/run.mjs
"location": "query",
          "name": "token",
          "required": true

The operation defines the authentication token as a query parameter, so the helper sends it in the request URL to JustOneAPI. This is disclosed and purpose-aligned, but URL query strings can be captured by logs or intermediaries.

User impactYour token is sent to the expected API provider, but it may appear in URL-oriented logs handled by the provider or local network tooling.
RecommendationTreat the token as sensitive, use the skill only with a trusted JustOneAPI account, and prefer API designs that use Authorization headers if available.