ClawHub

Weibo API

v1.0.0

Track Weibo hot search boards, keyword results, creator profiles, fan or follower graphs, and post or video detail endpoints through JustOneAPI.

0· 17·0 current·0 all-time
by@justoneapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, declared binary (node), and required environment variable (JUST_ONE_API_TOKEN) match the included OpenAPI operations that call https://api.justoneapi.com. All required parameters and endpoints are consistent with a Weibo data-read integration.
Instruction Scope
SKILL.md gives explicit, narrow runtime instructions (read generated docs, choose operation, ask for missing params, run bin/run.mjs). It does instruct including the token on the command line and to include backend payloads on error; those two behaviors increase the chance of accidental token exposure (process lists, logs, or printed error payloads). Otherwise instructions stay within the stated purpose.
Install Mechanism
No install spec — instruction-only with a bundled Node runner (bin/run.mjs). This is low-risk: no external archives or downloads. The provided run.mjs appears to be an OpenAPI client/manifest that targets api.justoneapi.com, which is expected for this skill.
Credentials
Only one credential (JUST_ONE_API_TOKEN) is required, and it is the primary credential for the JustOneAPI service — this is proportionate. Minor concern: the recommended invocation supplies the token as a command-line argument (--token "$JUST_ONE_API_TOKEN"), which can be exposed via process listings or shell histories on shared systems; SKILL.md warns to keep the token private but does not recommend safer alternatives (environment variable only, protected config file, or stdin).
Persistence & Privilege
No elevated persistence requested. always is false, the skill is user-invocable, and it does not request or modify other skill configurations or system-wide settings.
Assessment
This skill appears to be what it says: a read-only Weibo client that calls JustOneAPI. Before installing: (1) Confirm you trust the JustOneAPI service and the skill publisher (owner ID is not a familiar vendor). (2) Prefer passing the token via a protected environment variable (export JUST_ONE_API_TOKEN) or other OS-secure secret mechanism instead of a command-line argument, because command-line args can be seen by other users/processes and may be saved in shell history. (3) Be aware the SKILL.md asks to include backend payloads when errors occur — those payloads could accidentally contain sensitive info, so avoid posting error dumps to public logs or chat. (4) If you need stronger assurance, review the full bin/run.mjs to confirm it only contacts api.justoneapi.com and does not log or transmit other local data.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ccwg11k93set8d4qekfd5s8497pa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvJUST_ONE_API_TOKEN
Primary envJUST_ONE_API_TOKEN

Comments