Xiaohongshu Creator Marketplace (Pugongying) Creator Content Tags API
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a narrow JustOneAPI lookup skill, but it tells the agent to pass your JustOneAPI token on the command line, where it can be exposed.
Only install this if you trust JustOneAPI and can use a limited-scope token. Prefer modifying or wrapping the helper so the token is read from the environment without being placed on the command line, especially on shared or monitored systems.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked JustOneAPI token could let someone else use the user’s API account or consume their quota, depending on the token’s permissions.
This expands the API token into the process command line. Command-line arguments can be visible to other local users, process inspectors, crash reports, or logs.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataV2KolContentTagsV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager instead of accepting it via --token; use a least-privilege token and rotate it if exposure is suspected.