Xiaohongshu Creator Marketplace (Pugongying) Creator Core Metrics API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated JustOneAPI lookup purpose, but its documented command exposes the API token through a command-line argument.
Only use this skill if you trust JustOneAPI and need this creator-metrics lookup. Before running it, prefer updating the command/helper so the token is read from the environment internally rather than passed with --token.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The requested creator userId and filters are sent to JustOneAPI to retrieve metrics.
The helper sends requests to the documented external JustOneAPI service. This is purpose-aligned, but users should recognize that the lookup parameters and request are sent to that provider.
"baseUrl": "https://api.justoneapi.com"
Use the skill only for intended lookups and provide only the creator IDs and filters you mean to query.
A leaked JustOneAPI token could let someone else make API requests using the user's account or quota.
Expanding the environment variable into a command-line argument places the API token in process argv, which may be visible to local process monitors, audit logs, or other users on some systems.
--token "$JUST_ONE_API_TOKEN"
Change the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager instead of passing it via --token; rotate the token if it may have been exposed.