ClawHub

Toutiao API

v1.0.4

Analyze Toutiao workflows with JustOneAPI, including article Details, user Profile, and app Keyword Search across 4 operations.

0· 26·1 current·1 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what is implemented: a small HTTP wrapper for 4 Toutiao endpoints on api.justoneapi.com. Required binary (node) and a single API token are expected and proportional to the stated purpose.
!
Instruction Scope
SKILL.md directs the agent to run the included node script to call JustOneAPI and to pass JUST_ONE_API_TOKEN as a --token CLI argument. Passing secrets on the command line can expose them to other local users (process listings) and some logging systems. Otherwise the instructions limit actions to selecting an operation and calling the API; they do not request unrelated files, credentials, or external endpoints.
Install Mechanism
No install spec; code is bundled with the skill (bin/run.mjs). No external downloads or obscure install URLs are used. This is low risk from an installation perspective.
Credentials
Only JUST_ONE_API_TOKEN is required and is the declared primary credential, which matches the skill's purpose. Note: the token is sent as a query parameter to api.justoneapi.com (per the manifest) and passed via CLI; query params can be recorded in server logs and CLI args can be visible to local processes, increasing exposure risk.
Persistence & Privilege
Skill does not request always:true, does not modify other skills or system config, and relies on normal autonomous invocation. No elevated persistence or cross-skill configuration is requested.
Assessment
This skill appears to do what it says: call JustOneAPI's Toutiao endpoints and return JSON. Before installing: 1) Only provide a JustOneAPI token you trust—do not reuse a high-privilege token if you want to limit exposure. 2) The SKILL.md recommends invoking the bundled node script with --token "${JUST_ONE_API_TOKEN}"; be aware that command-line arguments can be visible to other users on the same machine and may be captured in some logs. Consider using an execution environment where the token is provided via a safe mechanism (environment variable or secure secret store) or use a short-lived token you can revoke. 3) Confirm you trust the external host (https://api.justoneapi.com) and are comfortable with the token being sent as a query parameter (it may appear in URL logs). If these token-exposure considerations are unacceptable, do not install or ask the skill author to change the invocation to a safer mechanism.

Like a lobster shell, security has layers — review code before you run it.

latestvk97az97r0g44tzpmtmjh7n7nks849shm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments