maxhub-bilibili
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a legitimate Bilibili data-query skill that uses a MaxHub API key and sends requested queries to aconfig.cn, with no evidence of hidden or destructive behavior in the provided artifacts.
Install only if you are comfortable sending Bilibili-related query parameters to MaxHub/aconfig.cn and using a MAXHUB_API_KEY that may incur per-call charges. Avoid sensitive private prompts, keep batch requests bounded, and monitor API-key usage.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls will be made under the user's MaxHub account and may consume quota or balance.
The skill reads the MAXHUB_API_KEY from the environment and sends it as the configured authentication header for provider API calls.
const AUTH_HEADER = config.apiBase.authHeader; ... [AUTH_HEADER]: resolveCredential()
Use a dedicated MaxHub API key if possible, monitor usage/billing, and revoke or rotate the key if you stop using the skill.
Large or chained requests could use more API credits than a single lookup.
The skill can chain multiple HTTP API calls for complex Bilibili analysis tasks, which is purpose-aligned but can increase request volume and cost.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行)
Confirm larger batch or chained requests, keep page/count limits modest, and check estimated cost when the agent proposes multi-step collection.
Search terms, Bilibili URLs, video IDs, user IDs, or similar request parameters may be visible to the provider.
The privacy section explicitly discloses that user query parameters are sent to the external MaxHub API provider.
用户查询参数将发送至该服务
Avoid submitting sensitive private information in prompts or query parameters, and review the provider's privacy and billing terms.
Recent query results may remain in process memory briefly for reuse, but the provided code does not show disk persistence or cross-session storage.
API responses and request-derived cache keys are stored in a bounded in-memory LRU cache with a TTL.
this.maxSize = options.maxSize || 100; this.defaultTTL = options.defaultTTL || 5 * 60 * 1000; this.cache = new Map();
Treat recent results as temporarily cached and avoid sensitive queries if the runtime is shared.
It may be harder to verify exactly which release or source package is being installed.
The registry source is listed as unknown, and versions differ across provided artifacts, which is a provenance/packaging clarity issue rather than evidence of malicious behavior.
Source: unknown; Version: 1.1.2
Prefer installing from a trusted registry entry, verify the publisher/repository, and check for updated metadata if provenance matters to your workflow.