Xiaohongshu Creator Marketplace (Pugongying) Cost Effectiveness Analysis API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s API wrapper is coherent and limited to the advertised JustOneAPI endpoint, but it handles the API token in an unsafe command-line argument.
Review before installing. The skill appears to do what it claims, but you should be careful because its documented command passes your JustOneAPI token as a command-line argument. If you use it, avoid shared machines and command logging, and prefer changing the helper to read the token directly from the environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with local process visibility or access to execution logs could potentially recover the JustOneAPI token and use the account’s API access.
The documented invocation expands the API token into a process argument. Command-line arguments can be visible to other local processes, diagnostics, or logs, so this is riskier than reading the token directly from the environment.
node {baseDir}/bin/run.mjs --operation "getKolCostEffectiveV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin, and avoid logging full command lines that contain expanded secrets.
Using the skill sends the requested kolId and token to JustOneAPI to retrieve marketplace analytics.
The helper performs an outbound HTTP request, but the code fixes the base URL to https://api.justoneapi.com and validates the operation against the single documented operation.
response = await fetch(url, requestInit);
Use it only for kolIds you intend to query through JustOneAPI, and review the returned data before sharing it elsewhere.