ClawHub

Xiaohongshu (RedNote) API

v1.0.0

Search Xiaohongshu notes, inspect creator profiles, resolve share links, and drill into note comments, replies, and note detail endpoints through JustOneAPI.

0· 19·0 current·0 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implemented operations. The skill only exposes read-only Xiaohongshu endpoints via JustOneAPI and declares JUST_ONE_API_TOKEN and node, which are appropriate for a Node CLI that calls that API.
Instruction Scope
SKILL.md instructs the agent to select specific read-only operations, request missing parameters from the user, and run the included Node CLI with a token. It does not instruct reading unrelated files or environment variables and warns users not to paste the token into chat.
Install Mechanism
No install script or network download is included; a local Node script (bin/run.mjs) is bundled and executed. This is low-risk compared to remote downloads or extract/install steps.
Credentials
Only JUST_ONE_API_TOKEN is required and declared as the primary credential; that directly maps to the API authentication the skill performs. No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated presence or system configuration changes. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill appears to do exactly what it says: call JustOneAPI endpoints for Xiaohongshu. If you install it, provide a JustOneAPI token you control and expect the bundled Node script (bin/run.mjs) to be executed. Consider these practical precautions: 1) Only use a token with minimal permissions and monitor/rotate it if possible; 2) be aware the token is passed as a query parameter to the API (may appear in server logs or referer headers) — avoid using high-privilege or long-lived secrets; 3) review the full bin/run.mjs file before enabling the skill if you want to confirm there are no additional network calls or unexpected behavior; 4) verify the JustOneAPI service, pricing, and privacy policy before sending sensitive or large volumes of data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bxs4gtt8eedzzr1nngyza3s848drg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments