Xiaohongshu Creator Marketplace (Pugongying) Cost Effectiveness Analysis API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a narrow JustOneAPI API wrapper, but it tells users to pass the API token on the command line where it may be exposed to local process inspection.
Install only if you are comfortable sending the requested userId and token to JustOneAPI. Before use, consider modifying the helper to read JUST_ONE_API_TOKEN from the environment rather than passing it with --token, and run it only in a trusted local environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user, monitoring tool, or process logger could capture the JustOneAPI token and use it to access the API or incur usage under the user's account.
This instructs the agent or user to expand the JustOneAPI credential into a command-line argument, which can be visible through local process inspection even though the token is not pasted into chat.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataV2CostEffectiveV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Do not pass the token as a command-line argument. Prefer reading JUST_ONE_API_TOKEN directly from the environment inside the helper, stdin, or a credential store, and rotate the token if it may have been exposed.