Zhihu Column Article List API
WarnAudited by ClawScan on May 10, 2026.
Overview
This focused API skill matches its stated purpose, but its documented token handling can expose your JustOneAPI token on the command line.
Review the token-handling risk before installing. The endpoint behavior is otherwise narrow and consistent, but you should avoid running it where process arguments may be visible, and prefer a version that reads the API token directly from a protected environment variable or secret store.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is observed, another local user or process could potentially use your JustOneAPI account or quota.
The documented invocation expands a high-value API token into a process argument. Although the token is purpose-aligned for JustOneAPI, argv-based secret handling can expose it to local process inspection or command execution logs.
node {baseDir}/bin/run.mjs --operation "getColumnArticleListV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"columnId":"<columnId>"}'Prefer a helper that reads JUST_ONE_API_TOKEN directly from the environment, stdin, or a secret manager instead of --token argv. Use only on trusted machines and rotate the token if it may have been logged.