Xiaohongshu Creator Marketplace (Pugongying) Note Details API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a focused API wrapper, but it asks the agent to pass your JustOneAPI token on the command line, which can expose it locally.
Review this skill before installing because it handles your JustOneAPI token in an unsafe way. The API call itself is narrowly scoped, but you should avoid exposing the token on the command line if possible and use it only in a trusted environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user or process-monitoring tool could see and reuse the JustOneAPI token while the command is running.
The documented invocation places the JustOneAPI token in process argv. Command-line arguments can be visible to local process inspection tools, logs, wrappers, or monitoring systems.
node {baseDir}/bin/run.mjs --operation "apiSolarNoteNoteIdDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or another secure secret channel instead of passing it with --token. Only run this skill on trusted systems and rotate the token if exposure is suspected.