Xiaohongshu Creator Marketplace (Pugongying) Data Summary API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a focused JustOneAPI wrapper, but it handles the API token in a way that may expose it through command-line arguments.
Review the token-handling risk before installing. If you use this skill, prefer a scoped and rotatable JustOneAPI token, avoid shared or logged execution environments, and consider modifying the helper so it reads the token directly from the environment instead of from --token.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On shared systems, CI runners, or environments that log process arguments, the JustOneAPI token could be exposed and reused by someone else.
The documented invocation expands the API credential into a command-line argument instead of having the helper read it directly from the environment or another safer channel.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataV3DataSummaryV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment or stdin, avoid running it where process arguments are visible, and use a least-privilege token that can be rotated.
The queried userId, optional business filter, and authentication token are sent to JustOneAPI to retrieve the requested marketplace data.
The helper performs an external API call to the disclosed JustOneAPI endpoint, which is aligned with the skill description.
"baseUrl": "https://api.justoneapi.com", ... "method": "GET", ... "path": "/api/xiaohongshu-pgy/api/solar/kol/dataV3/dataSummary/v1"
Use this only for lookups you intend to send to JustOneAPI, and verify that your token scope and provider terms are appropriate.