Web Page HTML Content API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised JustOneAPI HTML fetch, but it passes your API token on the command line where it may be exposed locally.
Install only if you are comfortable sending target URLs to JustOneAPI, and prefer not to use the documented --token command form on shared or monitored systems. Ask the maintainer to update the helper so it reads the token from the environment directly.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user or monitoring tool could potentially see the JustOneAPI token and use it to make API calls under the user's account.
The API token is expanded into a command-line argument. Process arguments can be visible to other local processes, diagnostics, shell wrappers, or audit tooling, so this exposes the credential more than necessary.
node {baseDir}/bin/run.mjs --operation "htmlV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"url":"<url>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret store instead of accepting it as --token. If this command has already been run on a shared machine, consider rotating the token.
JustOneAPI will receive the URL being fetched and may receive any sensitive information embedded in that URL.
The skill sends a user-provided URL to an external provider so that provider can fetch and return the page HTML. This is purpose-aligned, but users should understand the external data flow.
Required non-token inputs are `url`... Get the HTML content of a web page.
Only use this skill for URLs you are comfortable sending to JustOneAPI; avoid URLs containing private tokens, session IDs, or confidential internal resources.