Xiaohongshu (RedNote) Comment Replies API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: justoneapi-xiaohongshu-get-note-sub-comment Version: 1.0.0 The skill is a standard API wrapper for fetching Xiaohongshu (RedNote) comment replies via the JustOneAPI service. The execution script `bin/run.mjs` implements a clean, non-obfuscated wrapper around the native `fetch` API to communicate with the documented endpoint (api.justoneapi.com). No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone else may be able to use the user's JustOneAPI account or quota.
The skill instructs use of a sensitive API token through a command-line argument; after shell expansion, that token can be visible to process-list tools or local monitoring on some systems.
node {baseDir}/bin/run.mjs --operation "getNoteSubCommentV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>","commentId":"<commentId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secret store instead of argv; avoid using this on shared machines and rotate the token if exposure is suspected.