ClawHub

TikTok Shop API

v1.0.3

Analyze TikTok Shop workflows with JustOneAPI, including product Search and product Details.

0· 25·1 current·1 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the implemented operations. The code calls https://api.justoneapi.com and exposes two GET endpoints (searchProductsV1, getProductDetailV1). Requiring node and JUST_ONE_API_TOKEN is appropriate for this API wrapper.
Instruction Scope
SKILL.md limits runtime behavior to selecting an operation and running the included CLI (node bin/run.mjs). It does not ask to read unrelated files or system state. However, the recommended invocation passes the token as a command-line argument (--token "$JUST_ONE_API_TOKEN"), which risks exposing the secret via process listings; the script itself does not read process.env directly and relies on the CLI token.
Install Mechanism
No install/download step. This is an instruction + bundled CLI script (bin/run.mjs). No external archives or network installs are performed by the skill package itself.
Credentials
Only JUST_ONE_API_TOKEN is required, which is proportional to the stated purpose. Two security issues to consider: (1) the token is sent as a query parameter in the URL (the script appends a 'token' query value), which can be logged by servers/proxies and is less secure than an Authorization header; (2) the runtime guidance passes the token on the command line, exposing it to local process listings. These are implementation/privacy risks rather than evidence of malicious intent.
Persistence & Privilege
Skill does not request persistent/system-wide presence (always=false), does not modify other skills or agent configuration, and requires only the normal ability to perform outbound HTTP requests.
Assessment
This skill appears to do what it says — call JustOneAPI TikTok Shop endpoints — and only needs your JUST_ONE_API_TOKEN and node. Before installing: (1) Confirm you trust https://api.justoneapi.com and the published skill owner. (2) Prefer not to pass the token on the command line (ps output can leak it); instead, run a modified script that reads process.env.JUST_ONE_API_TOKEN or let the platform inject the secret into stdin/ENV. (3) Be aware the script sends the token as a URL query parameter, which can be logged by intermediaries; if possible ask the provider for a header-based auth or update the script to POST with an Authorization header if the API supports it. (4) Ensure Node 18+ is used (script uses fetch). (5) If you must use the provided workflow, treat the token as sensitive: rotate it if you suspect exposure and restrict its permissions where possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adt4y2g4x3fg9q958tg7nzn84886s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments