Xiaohongshu (RedNote) User Profile API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated API purpose, but it passes the JustOneAPI token on the command line, which can expose the credential to local process inspection.
The skill appears to do what it claims: call JustOneAPI to retrieve Xiaohongshu profile data for a provided userId. Review the credential-handling issue before installing: the documented command passes your token as a command-line argument, which may be visible locally. If you use it, run it only in a trusted environment and consider modifying the helper to read JUST_ONE_API_TOKEN directly from the environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed locally if another process or log captures command-line arguments while the command runs.
The instruction expands the API token into a command-line argument. Command-line arguments can be visible to other local processes or captured by execution telemetry, so this is weaker credential handling than reading the token inside the helper from the environment.
node {baseDir}/bin/run.mjs --operation "getUserV3" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Use only on a trusted local machine, and prefer a version of the helper that reads JUST_ONE_API_TOKEN directly from the environment instead of requiring --token.