Xiaohongshu Creator Marketplace (Pugongying) Follower Distribution API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a focused JustOneAPI wrapper, but it tells the agent to pass your API token on the command line, which can expose the credential locally.
Only use this skill if you are comfortable providing a JustOneAPI token for the endpoint. Before use, consider changing the helper or invocation so the token is read directly from the environment instead of passed on the command line, and use a limited, rotatable token where possible.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with local process visibility or access to execution logs could capture your JustOneAPI token and use your account or API quota.
The documented workflow passes the JustOneAPI token as a command-line argument; after shell expansion this can be visible in process listings or execution logs, exposing account/API access.
node {baseDir}/bin/run.mjs --operation "getKolFansPortraitV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin, avoid commands that place secrets in argv, and rotate the token if you suspect it was exposed.