WeChat Official Accounts User Published Posts API
WarnAudited by ClawScan on May 10, 2026.
Overview
This appears to be a focused JustOneAPI wrapper, but it passes the API token on the command line where it may be exposed locally.
Install only if you trust JustOneAPI and need this WeChat lookup. The main issue is credential handling: ask for or implement a safer helper that reads JUST_ONE_API_TOKEN from the environment without passing it as a command-line argument, and rotate the token if it may have been exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone else could use the user's JustOneAPI account or consume its quota.
The documented invocation places the API token into process argv after shell expansion, which can be visible to other local processes, system monitoring, or command-capture tooling.
node {baseDir}/bin/run.mjs --operation "getUserPost" --token "$JUST_ONE_API_TOKEN" --params-json '{"wxid":"<wxid>"}'Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment inside the helper or uses a secure credential mechanism instead of a --token argv value.
The requested wxid and API token are sent to JustOneAPI to retrieve results.
The helper makes an external API request to the fixed JustOneAPI base URL; this is disclosed and matches the skill's stated API-wrapper purpose.
"baseUrl": "https://api.justoneapi.com" ... response = await fetch(url, requestInit);
Use the skill only if you intend to query JustOneAPI and trust that provider with the token and lookup value.