Xiaohongshu (RedNote) Note Comments API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but it passes your JustOneAPI token on the command line, which can expose the token through process listings or logs.
Install only if you are comfortable using a JustOneAPI token with this helper. The API behavior is narrowly scoped and read-only, but the token-passing method is risky; use a patched version that reads the token from the environment directly, and avoid running it on shared systems.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked JustOneAPI token could let someone else use the user’s API account or consume paid quota.
The skill instructs the agent to pass the API token as a command-line argument. When expanded, that token can be visible to local process inspection, command telemetry, or logs.
node {baseDir}/bin/run.mjs --operation "getNoteCommentV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it on argv; rotate the token if it may have been exposed.