Maxhub Douyin Fan Mining
ReviewAudited by ClawScan on May 14, 2026.
Overview
Review recommended: the skill mostly matches its Douyin live-analytics purpose, but it needs a MaxHub API token and has conflicting claims about not writing files or storing tokens.
Install only if you trust the MaxHub API integration and need this live-room monitoring. Prefer using environment variables instead of a config file for the token, verify any setup scripts before running them, and only expose the MCP/report interfaces to trusted local agents.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe the MaxHub token will never be stored on disk, then follow the config-file setup and leave the token in a local file.
The same documentation claims tokens are not written to files while also instructing users to create a config file containing the real token.
方式二:配置文件 ... cp config.template.json config.json ... 填写实际的Token ... 安全说明 ... Token仅内存驻留,不写入文件 ... 零文件生成
Prefer environment-variable setup, delete any config.json containing secrets if not needed, and require the publisher to qualify or fix the zero-file/token-memory-only claims.
If the token is leaked or over-scoped, someone else could use the user’s MaxHub API access or quota.
The skill requires a MaxHub API key to access the provider API; this is purpose-aligned but grants API/account authority.
maxhub_token | MaxHub API密钥 | 必填
Use a scoped and revocable MaxHub token, avoid sharing reports or configs containing it, and verify the registry declares the credential requirement.
Connected agents or tools may be able to access collected fan profiles, labels, and report data if MCP access is enabled in an untrusted environment.
The skill exposes fan lists, reports, and per-user tags through MCP-style interfaces, but the documentation does not describe caller identity or data-boundary controls.
MCP生态接口 ... getRealTimeHighValueFan ... getLiveEndFanReport ... getFanLevelTag
Only enable these interfaces for trusted local clients and avoid connecting the skill to untrusted agents or shared MCP gateways.
Running npm/package setup can execute the skill’s local scripts, not just copy documentation.
The package defines Node scripts, including an install lifecycle script; this is common for Node packages but means setup may execute local code.
"scripts": { "start": "node index.js", "test": "node test/test.js", "install": "node scripts/install.js", "config": "node scripts/config.js" }Review or run setup scripts only from a trusted source, and prefer the documented minimal commands you actually need.