Zhihu Column Article Details API
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is focused on one JustOneAPI lookup, but it passes your API token on the command line where it may be exposed locally.
Install only if you are comfortable with the JustOneAPI token handling. The API lookup behavior is otherwise narrow and read-only, but the token should ideally not be passed as a command-line argument; use a limited-scope token and rotate it if exposed.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your JustOneAPI token could be exposed to other local processes or logs even though the API call itself is purpose-aligned.
The skill instructs callers to pass the API token as a command-line argument, so the expanded secret may be visible in process listings or captured by command/tool logs.
node {baseDir}/bin/run.mjs --operation "getColumnArticleDetailV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"id":"<id>"}'Prefer a version of the helper that reads JUST_ONE_API_TOKEN internally from the environment or stdin, use a restricted token if available, and rotate the token if it may have been exposed.