YOUKU Video Details API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised YOUKU video metadata lookup, but its documented command passes your JustOneAPI token through command-line arguments, which can expose the token locally.
Review this skill before use. It seems focused on one JustOneAPI YOUKU lookup endpoint, but avoid running it as documented until the token is no longer passed via `--token`; if you already ran it in a monitored or shared environment, consider rotating the JustOneAPI token.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local user, monitoring tool, or command-capture log could see the JustOneAPI token and use the associated account.
This tells the agent/user to place a high-value API credential in command-line arguments. Process arguments can be exposed through local process listings, shell telemetry, or logs, so the token is under-protected even though the API call itself is purpose-aligned.
node {baseDir}/bin/run.mjs --operation "getYoukuVideoDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"videoId":"<videoId>"}'Change the helper to read `JUST_ONE_API_TOKEN` directly from the environment or from stdin, and avoid passing secrets in command-line arguments.