Xiaohongshu (RedNote) Keyword Suggestions API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is narrowly scoped to a JustOneAPI keyword-suggestion endpoint, but it handles the API token in a way that can expose it through command-line arguments.
Only install if you are comfortable using a JustOneAPI token with this skill. If possible, modify or wrap the helper so the token is read from JUST_ONE_API_TOKEN without placing it on the command line, and avoid running it on shared systems where other processes may inspect command arguments.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user, process, or logging system could capture the JustOneAPI token and use it against the user's API account.
The token environment variable is expanded into a process argument. Command-line arguments can be exposed through process listings, shell history/debug output, or local monitoring, so this is weaker than reading the token directly from the environment or a secure secret source.
node {baseDir}/bin/run.mjs --operation "searchRecommendV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'Avoid passing the token in argv. Prefer updating the helper to read JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager, and rotate the token if it may have been exposed.