v1.0.0

Weibo User Published Posts API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 10:02 AM.

Analysis

The skill appears limited to the stated Weibo lookup, but it tells the agent to pass the JustOneAPI token on the command line, which can expose the credential.

GuidanceReview the token-handling issue before installing. If you use it, run only on a trusted machine and prefer a patched version that reads JUST_ONE_API_TOKEN directly from the environment instead of passing it as --token.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "getUserPublishedPostsV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"uid":"<uid>"}'

This instructs the agent to place the JustOneAPI credential in the process command line rather than keeping it only in the environment or another protected secret channel.

User impactOther local users, process-inspection tools, shell wrappers, or logs that capture process arguments could reveal the API token and allow use of the user's JustOneAPI account.

RecommendationDo not pass long-lived API tokens through command-line arguments; update the helper to read JUST_ONE_API_TOKEN directly from the environment or stdin, and rotate the token if it may have been exposed.