Xiaohongshu (RedNote) Note Comments API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: justoneapi-xiaohongshu-get-note-comment Version: 1.0.0 The skill is a standard API wrapper for fetching Xiaohongshu (RedNote) note comments via JustOneAPI. The implementation in bin/run.mjs is a straightforward Node.js script that uses the built-in fetch API to communicate with a hardcoded base URL (api.justoneapi.com). It lacks any indicators of malicious intent, such as data exfiltration, obfuscation, or unauthorized command execution, and its instructions in SKILL.md are strictly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked JustOneAPI token could let someone else use the user’s API account or consume paid quota.
The skill instructs the agent to pass the API token as a command-line argument. When expanded, that token can be visible to local process inspection, command telemetry, or logs.
node {baseDir}/bin/run.mjs --operation "getNoteCommentV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it on argv; rotate the token if it may have been exposed.