WeChat Official Accounts Article Engagement Metrics API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a narrow JustOneAPI wrapper, but it tells the agent to pass your API token on the command line, which can expose the token locally.
Review the token-handling before installing. The API wrapper itself is coherent and narrow, but you should prefer a version that reads JUST_ONE_API_TOKEN directly from the environment rather than passing it as --token, and rotate the token if you suspect it was exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be visible to local process inspection, terminal history, command logging, or monitoring tools, depending on the environment.
The documented invocation places the high-value API token in process argv instead of having the helper read it directly from the environment or stdin.
node {baseDir}/bin/run.mjs --operation "getArticleFeedback" --token "$JUST_ONE_API_TOKEN" --params-json '{"articleUrl":"<articleUrl>"}'Change the helper and instructions to read JUST_ONE_API_TOKEN directly from the environment or stdin, avoid passing secrets as command-line arguments, and use a restricted token if available.
The article URL you provide, along with the API token required by the provider, is sent to JustOneAPI to fulfill the request.
The helper makes an outbound request to the declared JustOneAPI provider using the supplied operation parameters.
"baseUrl": "https://api.justoneapi.com" ... response = await fetch(url, requestInit);
Use the skill only for article URLs you intend to send to JustOneAPI, and confirm you trust the provider and token scope.