v1.0.0

Toutiao User Profile API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:35 AM.

Analysis

The skill matches its stated Toutiao profile lookup purpose, but it passes the JustOneAPI token as a command-line argument, which can expose the credential.

GuidanceReview before installing or using. The endpoint behavior is focused and non-mutating, but use a restricted, rotatable JustOneAPI token and prefer modifying or wrapping the helper so the token is read from the environment instead of passed on the command line.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "getToutiaoUserDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'

The documented command passes the API token as a CLI argument. When invoked, the token can appear in process arguments visible to local process inspection or monitoring, reducing credential containment.

User impactA local user or monitoring tool with process-argument visibility could capture the JustOneAPI token and use the associated API access or quota.

RecommendationChange the helper to read JUST_ONE_API_TOKEN directly from process.env or another secure secret mechanism, and avoid passing secrets with --token. Rotate the token if it may have been exposed.