Xiaohongshu Creator Marketplace (Pugongying) Creator Core Metrics API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call the advertised JustOneAPI endpoint, but it passes the API token on the command line where it may be exposed locally.
Use caution before installing. The skill appears limited to the advertised JustOneAPI lookup, but its token handling should be improved. Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment, avoid running it on shared systems, and rotate the token if command execution logs or process listings may have exposed it.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to local process listings or logs could capture the JustOneAPI token and use the user's API account.
The documented execution path expands a high-value API token into a process command-line argument. Command-line arguments can be visible to local process monitors or captured by tool execution logs, so this is unsafe credential handling even though the API request is purpose-aligned.
node {baseDir}/bin/run.mjs --operation "getKolDataCoreV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secrets store instead of argv; use a least-privilege token and rotate it if it may have been exposed.