Zhihu Keyword Search API
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call only the claimed Zhihu search API, but it passes the JustOneAPI token on the command line where it may be exposed locally.
Review the credential handling before installing. The skill’s API behavior is narrowly scoped to Zhihu keyword search, but you should avoid using it on shared or monitored systems unless the token is handled without appearing in process arguments.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
On a shared or monitored machine, another local user, process, or log collector could capture the JustOneAPI token and use it outside this skill.
This directs the helper to receive the provider token through process argv. The token is purpose-aligned, but command-line arguments may be visible to local process inspection, shell/debug tooling, or command telemetry.
node {baseDir}/bin/run.mjs --operation "searchZhihuV1" --token "$JUST_ONE_API_TOKEN" --params-json '{"keyword":"<keyword>"}'Prefer a version that reads JUST_ONE_API_TOKEN directly from the environment or stdin instead of argv; if used, run only on trusted machines and rotate the token if exposure is suspected.