v1.0.0

TikTok Shop Product Search API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:35 AM.

Analysis

The skill mostly does what it claims, but it handles the required JustOneAPI token in a way that can expose it through command-line arguments.

GuidanceReview this skill before installing. Its endpoint behavior is narrow and coherent, but use caution with the API token: avoid running the provided command on shared systems, prefer a version that reads the token from the environment internally, and rotate the token if it may have appeared in process listings.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "searchProductsV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'

The documented command passes the API credential as a process argument. Command-line arguments can be visible to local process inspection, which is avoidable credential exposure.

User impactSomeone with local process visibility on the same system could potentially see and reuse the JustOneAPI token.

RecommendationPrefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of requiring --token on the command line; rotate the token if it may have been exposed.