Xiaohongshu Creator Marketplace (Pugongying) Follower Summary API
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a narrow, read-only JustOneAPI wrapper, but it passes your API token on the command line, which can expose the token locally.
Review before installing. The API call itself is scoped and read-only, but the token handling should be fixed or used cautiously: avoid running it on shared machines, do not log commands containing the token, and rotate the token if exposure is suspected.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user, process monitor, or logging system could capture the JustOneAPI token and use it outside this skill.
The documented invocation expands the JustOneAPI credential into a command-line argument. Command-line arguments can be visible to local process listings, terminal/session logging, or monitoring tools.
node {baseDir}/bin/run.mjs --operation "getKolFansSummaryV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>"}'Change the helper to read JUST_ONE_API_TOKEN directly from the environment or stdin instead of --token. Use least-privileged, rotatable tokens and avoid this invocation style on shared systems.