Xiaohongshu Creator Marketplace (Pugongying) Creator Search API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a narrow JustOneAPI wrapper, but it tells the agent to pass your API token on the command line where it may be exposed locally.
Use only if you are comfortable sending your selected search parameters and JustOneAPI token to api.justoneapi.com. Prefer safer credential handling, such as updating the helper to read JUST_ONE_API_TOKEN directly from the environment instead of passing it with --token.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Another local user or diagnostic tooling could capture the JustOneAPI token and use it to make API calls under your account.
The instruction expands the API token into a command-line argument, and process arguments can be visible to local process listings or logs even though the token is meant to stay secret.
node {baseDir}/bin/run.mjs --operation "apiSolarCooperatorBloggerV2V1" --token "$JUST_ONE_API_TOKEN" --params-json '{"key":"value"}'Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment or stdin rather than --token; if you use this skill, run it only on trusted machines and rotate the token if exposure is suspected.