扫描报告
5 /100
Instagram
Analyze Instagram workflows with JustOneAPI, including user Profile, post Details, and user Published Posts across 5 operations.
A clean API wrapper skill that correctly declares its network:READ permissions and only makes GET requests to the documented JustOneAPI endpoint.
可以安装
No action needed. The skill performs exactly as documented with no hidden functionality.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | bin/run.mjs:161 - uses native fetch() to call api.justoneapi.com |
| 命令执行 | NONE | NONE | — | No shell execution - uses node directly as declared in SKILL.md |
| 文件系统 | NONE | NONE | — | Only reads command-line arguments, no file operations |
| 环境变量 | READ | READ | ✓ 一致 | bin/run.mjs:115 - injectToken() reads JUST_ONE_API_TOKEN as documented |
1 项发现
中危 外部 URL 外部 URL
https://api.justoneapi.com SKILL.md:5 目录结构
4 文件 · 27.2 KB · 829 行 JavaScript 1f · 427L
JSON 1f · 225L
Markdown 2f · 177L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
安全亮点
✓ Uses native Node.js fetch API with zero external dependencies
✓ All 5 operations match the SKILL.md documentation exactly
✓ Token is only used for API authentication, not exfiltrated elsewhere
✓ Error handling is comprehensive without leaking sensitive information
✓ All HTTP requests are GET-only with parameters in query strings
✓ No obfuscation, base64, or dynamic code evaluation
✓ No credential harvesting beyond the declared JUST_ONE_API_TOKEN
✓ No sensitive file path access (no ~/.ssh, ~/.aws, .env enumeration)