WeChat Official Accounts Article Comments API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised JustOneAPI lookup, but it handles the API token in a way that can expose it through command-line arguments.
Only use this if you trust JustOneAPI and are comfortable providing a token. Avoid running the documented command in environments where command lines are logged or visible to other users, and prefer an updated helper that reads the token directly from the environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked JustOneAPI token could let someone else use the user's API account or quota.
The documented command expands the API token into a process argument, which can be visible to other local processes, shell history, terminal logging, or diagnostics even though the credential is intended only for JustOneAPI.
node {baseDir}/bin/run.mjs --operation "getArticleComment" --token "$JUST_ONE_API_TOKEN" --params-json '{"articleUrl":"<articleUrl>"}'Prefer a version of the helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it on the command line; use a least-privilege token and revoke it if exposure is suspected.