Xiaohongshu Creator Marketplace (Pugongying) Follower Growth History API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised API lookup, but its documented command passes your JustOneAPI token through command-line arguments where it may be exposed.
Only use this skill if you are comfortable providing a JustOneAPI token for this endpoint. Prefer a version that reads the token directly from the environment rather than using --token on the command line, especially on shared systems or systems with process/log monitoring.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed to other local users or tools, potentially allowing unauthorized API use or billing impact.
This documented command expands the JustOneAPI token into the process argument list. Command-line arguments can be visible to local process inspection tools, monitoring, crash reports, or logs on some systems.
node {baseDir}/bin/run.mjs --operation "getKolFansTrendV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>","dateType":"_1","increaseType":"_1"}'Avoid passing secrets through argv. The helper should read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager; rotate the token if it may have been exposed on a shared or monitored machine.