Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a narrow JustOneAPI wrapper, but it handles the API token through command-line arguments, which can expose the credential locally.
Only install if you are comfortable with this credential-handling risk. Use it on a trusted single-user machine, avoid logging commands, and prefer an updated helper that reads the token directly from the environment instead of --token.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A JustOneAPI token could be exposed on the local machine even though the skill is only meant to call one API endpoint.
This instructs the agent/user to place the API token in process arguments. Command-line arguments may be visible to other local users, process inspection tools, crash reports, or command logging.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataUserIdFansProfileV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment inside the helper, uses stdin, or otherwise avoids passing secrets through argv. Rotate the token if it may have been captured in logs or process monitoring.