v1.0.0

Toutiao Search API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:35 AM.

Analysis

The skill appears to call the advertised Toutiao search API, but it asks users to pass the API token on the command line, which can expose the token.

GuidanceOnly install or use this skill if you are comfortable providing a JustOneAPI token for Toutiao search. Avoid running the documented command in environments where process arguments are visible to other users or logs, and prefer changing the helper to read the token directly from the JUST_ONE_API_TOKEN environment variable.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "searchToutiaoV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'

The documented invocation puts the JustOneAPI credential into the process argument list. That token is required for the service, but argv-based secret handling can make it visible to local process inspection, monitoring, or logs.

User impactSomeone or something with access to process command lines on the machine could potentially see and reuse the API token.

RecommendationPrefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of requiring --token. If this command has already been run in an exposed environment, consider rotating the token.