Xiaohongshu Creator Marketplace (Pugongying) Note Details API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a focused JustOneAPI wrapper, but its documented run command passes the API token through command-line arguments, which can expose the token locally.
Install only if you are comfortable using a JustOneAPI token with this helper. If possible, modify or wrap the script so it reads JUST_ONE_API_TOKEN from the environment internally rather than passing it with --token, especially on shared machines.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed on the local machine while the command is running, potentially allowing unauthorized use of your API account.
The documented command expands the API token into a command-line argument, which can be visible to other local processes or captured by process-monitoring tools.
node {baseDir}/bin/run.mjs --operation "getXiaohongshuPgyNoteDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"noteId":"<noteId>"}'Prefer a version of the helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin, and avoid running this command on shared or untrusted systems.