Xiaohongshu Creator Marketplace (Pugongying) Follower Summary API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a focused JustOneAPI endpoint wrapper, but it instructs users to pass the API token on the command line, which can expose the credential to local process listings or logs.
Review the token-handling issue before installing or running this skill. If you use it, prefer modifying the helper to read JUST_ONE_API_TOKEN directly from the environment rather than passing it with --token, and use a limited-scope token if available.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A JustOneAPI credential could be exposed locally even though the skill tells users not to paste token values into chat or logs.
The skill explicitly instructs passing the API token as a command-line argument. After shell expansion, that token can be visible in process arguments to local system observers or captured by command logging.
node {baseDir}/bin/run.mjs --operation "apiSolarKolDataV3FansSummaryV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it through --token; rotate the token if it may have been exposed.
Your API token and the Xiaohongshu userId being queried are sent to JustOneAPI for the lookup.
The helper sends the token and requested userId to the disclosed JustOneAPI endpoint as query parameters. This is consistent with the documented endpoint, but users should understand what data leaves their environment.
"baseUrl": "https://api.justoneapi.com" ... "name": "token", "location": "query" ... "name": "userId", "location": "query"
Use a token with the minimum needed scope, avoid querying sensitive identifiers unless necessary, and verify that JustOneAPI's handling of query-parameter tokens meets your requirements.