maimai-cli
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: maimai-cli Version: 1.1.0 The maimai-cli skill bundle is a well-documented interface for interacting with the Maimai social platform via a local CLI tool. The instructions in SKILL.md and references/auth.md are notably security-conscious, explicitly directing the AI agent to avoid asking for or echoing sensitive session cookies in the chat. The functionality is limited to standard social media interactions (feeds, search, comments) and includes defensive guidelines to protect user privacy. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could retrieve and expose private Maimai account or API data beyond the user’s intended scoped task.
The skill documents an authenticated raw GET command for arbitrary same-origin paths. That bypasses the safer feed/detail/profile commands and the warning itself acknowledges sensitive parameters or responses may be involved.
maimai raw-get /community/api/common/get-user-info?__platform=community_web ... 用户想验证某个同源 GET 路径 ... 避免把含敏感参数的原始路径和返回全文贴回对话
Prefer the scoped commands. Use raw-get only when the user explicitly provides the exact endpoint for debugging, and redact sensitive parameters and response fields before sharing.
Anyone with the full cookie may be able to access the user’s Maimai account session.
The skill clearly relies on full Maimai session cookies. This is purpose-aligned and includes good safety warnings, but session cookies are high-impact credentials.
推荐用户在自己的终端执行,不要把完整 Cookie 发到聊天里 ... maimai import-cookie-header --cookie '完整 Cookie 头' ... export MAIMAI_COOKIE='完整 Cookie 头'
Import cookies only in a trusted local terminal, never paste full cookies into chat, and use logout or re-login to invalidate exposed sessions.
The actual runtime behavior depends on the external maimai-cli package installed on the user’s machine.
The reviewed skill contains only routing documentation and tells users to install an external CLI package. That is expected for this skill, but the package code and exact version are not included in the artifact review.
如果未安装: ```bash uv tool install maimai-cli ```
Install only from a trusted source, review the package/homepage if possible, and consider pinning a known-good version.
The agent could open the wrong cached item if the short-index context changed, and recent browsing/search references may remain locally available.
The CLI caches recent list and comment references so short indexes like 1 or 2 can be reused. This is useful and disclosed, but stale or sensitive cached context can affect later actions.
CLI 会缓存最近一次列表的引用表 ... 运行 `comments` 后,评论短索引会写入独立缓存
Run `maimai refs` or `maimai refs --scope comments` before using short indexes, and clear/logout local state when switching accounts or after sensitive sessions.