Xiaohongshu (RedNote) Note Details API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to retrieve RedNote note details as described, but it passes the JustOneAPI token through command-line arguments, which can expose the token on the local machine.
Only use this skill if you trust JustOneAPI and can tolerate the token-handling risk. If possible, modify the helper to read JUST_ONE_API_TOKEN from the environment directly instead of using --token, and avoid running it on shared systems.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something with access to process listings or command history on the same machine could potentially see the JustOneAPI token and use the account's API access.
The documented invocation expands the API token into a command-line argument, which can be visible to local process inspection or captured in command logs.
node {baseDir}/bin/run.mjs --operation "getXiaohongshuNoteDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>"}'Avoid installing or using this version unless you are comfortable with that exposure. Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment without passing it on the command line, and rotate the token if it may have been exposed.