WeChat Official Accounts Keyword Search API
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised WeChat search, but it handles the JustOneAPI token in a way that could expose it on the local machine.
Only install if you are comfortable sending search keywords to JustOneAPI and you can protect the API token. Avoid running the documented command in shared or monitored environments unless the token handling is changed to avoid command-line arguments.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something with access to local process arguments while the command runs could see and reuse the JustOneAPI token.
The documented invocation expands the API token into the command-line arguments. Local process listings or tooling that captures command arguments may expose the token.
node {baseDir}/bin/run.mjs --operation "searchWeixinV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'Prefer a version that reads the token directly from the environment or stdin instead of argv; rotate the token if it may have been exposed.