Xiaohongshu Creator Marketplace (Pugongying) Follower Growth History API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call the advertised JustOneAPI endpoint, but its documented command passes your API token on the command line where it may be exposed locally.
Review this skill before installing. Its API behavior is narrowly scoped, but prefer a version that reads JUST_ONE_API_TOKEN directly from the environment rather than putting the token on the command line.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone or something with local process visibility could capture the JustOneAPI token while the command runs and use it as the user.
This tells the agent/user to pass the JustOneAPI credential as a command-line argument; shell expansion can place the real token in the process argument list visible to other local processes or diagnostics.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataUserIdFansOverallNewHistoryV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment or another protected input channel instead of accepting it via --token; rotate the token if it may have been exposed.