Weibo User Followers API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call the advertised JustOneAPI endpoint, but its instructions pass the API token on the command line where it may be exposed.
Use only if you are comfortable sending the requested Weibo uid and your JustOneAPI token to JustOneAPI. Consider patching the helper to read the token from the environment internally, use a scoped/rotatable token, and avoid running the documented command on shared or heavily logged systems.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On shared machines or systems with command/process telemetry, another local user or logging tool could capture the JustOneAPI token and use the account or quota.
The official run instruction passes the API token as a command-line argument. When executed, the environment variable is expanded and the secret can be exposed through process arguments.
node {baseDir}/bin/run.mjs --operation "getFollowersV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"uid":"<uid>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secret manager instead of argv, avoid running this on shared systems, and rotate the token if it may have been exposed.