Xiaohongshu (RedNote) User Published Notes API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is narrowly scoped to a JustOneAPI RedNote lookup, but it passes the API token on the command line where it may be exposed to local process inspection or logs.
Review the credential-handling risk before installing. The skill appears to do the advertised RedNote note-list lookup through JustOneAPI, but you should avoid exposing JUST_ONE_API_TOKEN in command-line arguments if possible and only use it in an environment where local process details are not visible to untrusted users.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone else may be able to use the user's JustOneAPI account or quota.
The documented invocation places the API token in a command-line argument. Command-line arguments may be visible to local process listings or captured in execution logs, creating an avoidable credential exposure risk.
node {baseDir}/bin/run.mjs --operation "getUserNoteListV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secure secret store instead of accepting it via --token; rotate the token if it may have been exposed.