Zhihu Answer List API
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a narrowly scoped Zhihu read-only API wrapper, but it passes the JustOneAPI token on the command line where it may be exposed locally.
Review before installing. The API behavior is narrow and read-only, but the token should be handled more safely than the documented --token argument; use only in a trusted local environment or modify the helper to read the token from the environment.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leaked JustOneAPI token could let someone else use the user's API quota or access capabilities associated with that token.
The documented command expands the primary API credential into a process argument. Process arguments can be visible to local process monitors, other same-host users in some environments, or execution logs.
node {baseDir}/bin/run.mjs --operation "getAnswerListV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"questionId":"<questionId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of accepting it through argv, and rotate the token if it may have been exposed.