Xiaohongshu Creator Marketplace (Pugongying) Similar Creators API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call the advertised JustOneAPI endpoint, but it handles the API token in a way that can expose it through command-line arguments.
Use caution before installing or invoking this skill. It appears limited to the advertised JustOneAPI lookup, but its current command pattern exposes your API token in argv. Prefer a version that reads the token securely from the environment and only run it in trusted local environments.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to the same machine or process logs could potentially recover the JustOneAPI token and use it outside this skill.
The documented invocation places the API token in process argv. Command-line arguments may be visible to local process inspection tools, shell telemetry, or logs, so this increases the chance of credential exposure.
node {baseDir}/bin/run.mjs --operation "apiSolarKolGetSimilarKolV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"userId":"<userId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin rather than taking it as --token. Avoid running this command on shared systems, and rotate the token if it may have been exposed.