v1.0.0

Weibo User Video List API

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 11:37 AM.

Analysis

The skill appears to do the advertised Weibo API lookup, but it handles the JustOneAPI token in a way that can expose the secret on the local command line.

GuidanceOnly use this skill in a trusted environment, and prefer a version that reads the JustOneAPI token directly from a protected environment variable rather than placing it on the command line.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "getWeiboUserVideoListV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"uid":"<uid>"}'

This invocation expands the API token into a process command-line argument. Process argv can be visible to other local users, system tools, shell wrappers, or logs, weakening the credential boundary.

User impactSomeone with access to the machine or process telemetry could potentially see and reuse your JustOneAPI token.

RecommendationChange the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager instead of passing it with --token; rotate the token if it may have been exposed.