Xiaohongshu Creator Marketplace (Pugongying) Creator Profile API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: justoneapi-xiaohongshu-pgy-api-solar-cooperator-user-blogger-user-id Version: 1.0.0 The skill bundle is a standard API wrapper for retrieving Xiaohongshu creator profile data via JustOneAPI. The execution logic in `bin/run.mjs` is transparent, performing a simple HTTP GET request to `api.justoneapi.com` without any signs of obfuscation, unauthorized data exfiltration, or malicious intent. The documentation in `SKILL.md` correctly identifies required environment variables and includes instructions to protect sensitive tokens.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something with access to local process details while the command runs may be able to see the API token.
The skill needs the JustOneAPI token for its stated purpose, but passing it via a command-line argument can expose the expanded token to local process inspection or command logging.
node {baseDir}/bin/run.mjs --operation "apiSolarCooperatorUserBloggerUserIdV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin, and rotate the token if you suspect it was exposed.