Xiaohongshu (RedNote) Comment Replies API
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a narrow read-only API helper, but it warrants Review because it tells the agent to pass your JustOneAPI token on the command line where it may be exposed.
Only install if you are comfortable using a JustOneAPI token for this read-only endpoint. If possible, modify or request an update so the helper reads the token from the environment internally rather than passing it with --token on the command line.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone else may be able to use the user's JustOneAPI account or quota.
The skill instructs use of a sensitive API token through a command-line argument; after shell expansion, that token can be visible to process-list tools or local monitoring on some systems.
node {baseDir}/bin/run.mjs --operation "getNoteSubCommentV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>","commentId":"<commentId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secret store instead of argv; avoid using this on shared machines and rotate the token if exposure is suspected.