Scan Report
5 /100
Instagram
Analyze Instagram workflows with JustOneAPI, including user Profile, post Details, and user Published Posts across 5 operations.
A clean API wrapper skill that correctly declares its network:READ permissions and only makes GET requests to the documented JustOneAPI endpoint.
Safe to install
No action needed. The skill performs exactly as documented with no hidden functionality.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | bin/run.mjs:161 - uses native fetch() to call api.justoneapi.com |
| Shell | NONE | NONE | — | No shell execution - uses node directly as declared in SKILL.md |
| Filesystem | NONE | NONE | — | Only reads command-line arguments, no file operations |
| Environment | READ | READ | ✓ Aligned | bin/run.mjs:115 - injectToken() reads JUST_ONE_API_TOKEN as documented |
1 findings
Medium External URL 外部 URL
https://api.justoneapi.com SKILL.md:5 File Tree
4 files · 27.2 KB · 829 lines JavaScript 1f · 427L
JSON 1f · 225L
Markdown 2f · 177L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Uses native Node.js fetch API with zero external dependencies
✓ All 5 operations match the SKILL.md documentation exactly
✓ Token is only used for API authentication, not exfiltrated elsewhere
✓ Error handling is comprehensive without leaking sensitive information
✓ All HTTP requests are GET-only with parameters in query strings
✓ No obfuscation, base64, or dynamic code evaluation
✓ No credential harvesting beyond the declared JUST_ONE_API_TOKEN
✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env enumeration)