Xiaohongshu (RedNote) User Search API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent JustOneAPI search wrapper, but it should be reviewed because it passes the API token through command-line arguments.
This appears to be a single-purpose, read-only JustOneAPI wrapper for Xiaohongshu user search. Before using it, be aware that your search keyword and token are sent to api.justoneapi.com, and avoid the provided --token command pattern unless the helper is updated to keep the token out of process arguments.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone with access to local process details, tool logs, or telemetry could potentially see and reuse the JustOneAPI token.
The skill requires a sensitive API credential and instructs the agent to pass it as a command-line argument. That is not needed for the endpoint purpose and may expose the token to local process inspection or command logging.
node {baseDir}/bin/run.mjs --operation "getSearchUserV2" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'Use only after changing the helper to read JUST_ONE_API_TOKEN directly from the environment or another non-argv secret channel; rotate the token if it may have been exposed.