Xiaohongshu (RedNote) User Published Notes API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: justoneapi-xiaohongshu-get-user-note-list Version: 1.0.0 The skill is a standard API wrapper for JustOneAPI to fetch Xiaohongshu (RedNote) user notes. The execution script `bin/run.mjs` is a clean implementation that uses the built-in `fetch` API to communicate with the legitimate domain `api.justoneapi.com`. The `SKILL.md` file includes security-conscious instructions for the AI agent to avoid leaking the `JUST_ONE_API_TOKEN` in logs or chat messages. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed, someone else may be able to use the user's JustOneAPI account or quota.
The documented invocation places the API token in a command-line argument. Command-line arguments may be visible to local process listings or captured in execution logs, creating an avoidable credential exposure risk.
node {baseDir}/bin/run.mjs --operation "getUserNoteListV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secure secret store instead of accepting it via --token; rotate the token if it may have been exposed.