v1.0.0

Toutiao Article Details API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:35 AM.

Analysis

This is a narrow Toutiao article-details API wrapper, but it passes the JustOneAPI token on the command line, which can expose the credential.

GuidanceReview the credential handling before installing. If you use this skill, use a limited or disposable JustOneAPI token where possible, run it only on a trusted machine, avoid sharing terminal logs or process captures, and prefer an updated helper that reads the token without placing it in command-line arguments.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "getToutiaoArticleDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"id":"<id>"}'

The required JustOneAPI credential is supplied as a command-line argument. After shell expansion, that secret can be exposed through process argv or command logging, even though the API use itself is purpose-aligned.

User impactSomeone with access to local process listings or captured execution logs could obtain the token and use the user's JustOneAPI account or quota.

RecommendationPrefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of argv; run only in a trusted environment, avoid logging full commands, and rotate the token if it may have been exposed.