Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: justoneapi-xiaohongshu-pgy-api-solar-kol-data-user-id-fans-profile Version: 1.0.0 The skill is a standard API wrapper for the JustOneAPI service, designed to fetch Xiaohongshu follower distribution data. The implementation in bin/run.mjs uses standard Node.js fetch calls to a hardcoded legitimate domain (api.justoneapi.com) and contains no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A JustOneAPI token could be exposed on the local machine even though the skill is only meant to call one API endpoint.
This instructs the agent/user to place the API token in process arguments. Command-line arguments may be visible to other local users, process inspection tools, crash reports, or command logging.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataUserIdFansProfileV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment inside the helper, uses stdin, or otherwise avoids passing secrets through argv. Rotate the token if it may have been captured in logs or process monitoring.