Weibo Post Details API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do only the advertised Weibo-detail lookup, but it passes the required JustOneAPI token on the command line, which can expose the credential locally.
Review this skill before installing. It appears focused on the advertised Weibo post-detail endpoint, but you should only use it if you are comfortable sending the requested post ID and your JustOneAPI credential to JustOneAPI. Prefer an updated version that does not pass the token via command-line arguments.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed to other local processes or logs while the command runs, potentially allowing unauthorized use of your API account.
This puts the primary JustOneAPI credential into the helper process arguments. Process arguments can be exposed through local process listings, monitoring tools, crash/debug logs, or command wrappers.
node {baseDir}/bin/run.mjs --operation "getWeiboDetailsV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"id":"<id>"}'Prefer a version of the helper that reads the token directly from the environment or stdin instead of argv. Avoid running this on shared systems, and rotate the token if you believe it was exposed.
When invoked, the agent can call JustOneAPI for a supplied Weibo post ID and may consume API quota or reveal that lookup to the provider.
The helper performs a network request to the documented JustOneAPI endpoint. This is purpose-aligned and bounded to one operation, but users should understand that queried Weibo IDs are sent to JustOneAPI.
"baseUrl": "https://api.justoneapi.com" ... "path": "/api/weibo/get-weibo-detail/v1" ... response = await fetch(url, requestInit);
Use the skill only for post IDs you intend to send to JustOneAPI, and monitor token/API usage according to your account policies.