v1.0.0

Xiaohongshu Creator Marketplace (Pugongying) User Published Notes API

ReviewClawScan verdict for this skill. Analyzed May 2, 2026, 5:11 PM.

Analysis

This is a coherent JustOneAPI wrapper, but it tells the agent to pass the API token on the command line, which can expose the token locally.

GuidanceReview before installing. The API wrapper itself appears focused and consistent with its stated purpose, but you should avoid exposing API tokens through command-line arguments. If you use it, prefer modifying the helper to read the token from the environment, use the least-privileged token available, and rotate the token if it may have been visible in process listings or logs.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

node {baseDir}/bin/run.mjs --operation "apiSolarKolDataV2NotesDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'

The documented invocation expands the API token into a command-line argument. Command-line arguments can be visible to other local processes or captured by monitoring/logging tools, so this is unsafe handling of a credential.

User impactYour JustOneAPI token could be exposed on the local machine while the helper runs, potentially allowing unauthorized use of your API account.

RecommendationPrefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secret store instead of --token argv; use a scoped token, run only on trusted systems, and rotate the token if exposure is suspected.