Xiaohongshu Creator Marketplace (Pugongying) Creator Profile API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent JustOneAPI wrapper, but its documented command passes the API token on the command line, which can expose the credential locally.
Review this skill before installing if you will provide a real JustOneAPI token. The API behavior matches its description, but the current command-line token handling is weaker than reading the token securely from the environment.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A JustOneAPI token could be exposed on the local machine even though the skill otherwise calls the intended provider endpoint.
The documented invocation places the API token in a command-line argument; command-line arguments can be visible to local process inspection, monitoring tools, and some logs while the helper runs.
node {baseDir}/bin/run.mjs --operation "getXiaohongshuPgyKolInfoV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"kolId":"<kolId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or a secure secret channel instead of argv; use a restricted, revocable token and rotate it if exposure is suspected.
If the token is available to the agent, the agent can call this JustOneAPI endpoint under the user's account.
The skill requires a JustOneAPI authentication token and sends it as part of the provider API request; this is purpose-aligned but still grants account-level API access.
| `token` | `query` | yes | `string` | n/a | User authentication token. |
Use the least-privileged token available, keep it out of chat messages and logs, and monitor or revoke the token if it is no longer needed.