Scan Report
0 /100
Douban Movie (justoneapi_douban)
Analyze Douban Movie workflows with JustOneAPI, including movie Reviews, review Details, and subject Details across 6 operations.
A clean API wrapper skill for Douban Movie data with no security concerns — only performs declared HTTP GET requests to a single external API endpoint.
Safe to install
This skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | bin/run.mjs:86 - fetch(url, requestInit) to https://api.justoneapi.com only |
| Filesystem | NONE | NONE | — | No file operations in bin/run.mjs |
| Shell | NONE | NONE | — | No subprocess/exec calls in bin/run.mjs |
| Environment | NONE | NONE | — | Token passed as CLI argument, no os.environ iteration |
| Skill Invoke | NONE | NONE | — | No dynamic skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database connections |
1 findings
Medium External URL 外部 URL
https://api.justoneapi.com SKILL.md:5 File Tree
4 files · 28.8 KB · 967 lines JavaScript 1f · 479L
JSON 1f · 277L
Markdown 2f · 211L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Only uses Node.js built-in APIs (fetch, URL, process) — no external dependencies
✓ All 6 operations are HTTP GET requests to a single declared API endpoint
✓ Token passed explicitly via CLI argument, never reads from environment directly
✓ Manifest declares all parameters; no undocumented fields or dynamic evaluation
✓ Documentation (SKILL.md) accurately describes the implementation with no hidden behavior
✓ No obfuscation, no base64 payloads, no dynamic code generation
✓ No shell execution, no file system access, no sensitive path enumeration
✓ Script is a straightforward OpenAPI client — no credential harvesting or data exfiltration