Scan Report
5 /100
Beike API (justoneapi_beike)
Analyze Beike workflows with JustOneAPI — resale Housing Details, resale Housing List, and community List
A straightforward Beike real-estate API wrapper that makes GET requests to a single declared endpoint with no malicious behavior, obfuscation, or credential exfiltration.
Safe to install
Skill is safe to use. No action required.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | bin/run.mjs:91 — fetch(url, requestInit) to https://api.justoneapi.com |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md invokes 'node {baseDir}/bin/run.mjs' |
| Filesystem | READ | READ | ✓ Aligned | SKILL.md instructs reading generated/operations.md; no file writes found |
| Environment | NONE | NONE | — | Token passed via CLI arg ($JUST_ONE_API_TOKEN), not read via process.env iterati… |
| Skill Invoke | NONE | NONE | — | No recursive skill invocation found |
1 findings
Medium External URL 外部 URL
https://api.justoneapi.com SKILL.md:5 File Tree
4 files · 21.7 KB · 672 lines JavaScript 1f · 371L
JSON 1f · 169L
Markdown 2f · 132L
├─
▾
bin
│ └─
run.mjs
JavaScript
├─
▾
generated
│ ├─
operations.json
JSON
│ └─
operations.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ All 3 operations are fully documented in both SKILL.md and generated/operations.md
✓ Code is clean and readable — no obfuscation, base64, or eval usage
✓ No sensitive file/path access (no ~/.ssh, ~/.aws, .env scanning)
✓ No environment variable iteration for credential harvesting
✓ Token is passed via CLI argument, not hardcoded or exfiltrated
✓ Network requests go to a single declared domain (https://api.justoneapi.com)
✓ Only GET requests are made; no POST/PUT with unexpected payloads
✓ Error handling is proper with structured JSON error output
✓ No supply chain risk — no dependencies/imports beyond Node.js builtins
✓ No persistence mechanisms (no cron, startup hooks, or backdoors)