Weibo Hot Search API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call only the advertised Weibo hot-search API, but it passes your JustOneAPI token on the command line where it may be exposed locally.
Review the token-handling path before installing. The API behavior is narrowly scoped to Weibo hot search, but the helper should preferably read the token from the environment or a secret manager rather than receiving it as a command-line argument.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user or process that can read command lines could capture the JustOneAPI token and potentially use the account outside this skill.
The documented invocation passes the JustOneAPI credential as a command-line argument. Even though the API call itself is purpose-aligned, command-line arguments can be visible to other local processes, users, or logging/auditing tools.
node {baseDir}/bin/run.mjs --operation "hotSearchV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"key":"value"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment or a secret store instead of --token. Use only on trusted machines, avoid logging command lines, and rotate the token if it may have been exposed.