Scan Report
0 /100
justoneapi_facebook
Analyze Facebook workflows with JustOneAPI, including post Search, get Profile ID, and get Profile Posts.
This is a legitimate, transparent JustOneAPI wrapper for three Facebook operations with no hidden functionality, no shell access, and no credential exfiltration beyond the declared API token sent to the expected endpoint.
Safe to install
No action needed. The skill is safe to use as documented.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | bin/run.mjs:116 — response = await fetch(url, requestInit); makes GET requests t… |
| Filesystem | NONE | NONE | — | bin/run.mjs — no file read/write operations; script is executed by the shell, no… |
| Shell | NONE | NONE | — | bin/run.mjs — no subprocess, exec, spawn, or shell command invocation |
| Environment | NONE | NONE | — | bin/run.mjs — no process.env access beyond the CLI-passed token |
| Skill Invoke | NONE | NONE | — | No cross-skill invocation detected |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser automation |
| Database | NONE | NONE | — | No database access |
2 findings
Medium External URL 外部 URL
https://api.justoneapi.com SKILL.md:5 Medium External URL 外部 URL
https://www.facebook.com bin/run.mjs:29 File Tree
4 files · 20.3 KB · 653 lines JavaScript 1f · 362L
JSON 1f · 160L
Markdown 2f · 131L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Clean, minimal implementation with no obfuscation, no base64, no eval()
✓ SKILL.md accurately describes all three operations and their invocation pattern
✓ No shell execution, subprocess, or command injection vectors
✓ No sensitive path access (~/.ssh, ~/.aws, .env, etc.)
✓ No environment variable enumeration (process.env not accessed except via CLI token)
✓ Token is passed only to the declared third-party API endpoint as a query parameter, which is expected for API authentication
✓ No cross-skill invocation, no persistence mechanisms, no supply chain risks
✓ All network requests are explicitly declared GET operations to api.justoneapi.com