maxhub-douyin
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The API key can authorize requests against the user's MaxHub account and may consume paid credits.
The skill requires a MaxHub API key and uses it as an API authentication header for the external provider.
"requires": { "env": [ "MAXHUB_API_KEY" ], "primaryEnv": "MAXHUB_API_KEY" }, ... "apiBase": { "url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY" }Use a dedicated, revocable API key if possible, monitor usage, and remove the key if you stop using the skill.
Multi-step or broad data requests may send more query data to the provider and may increase API usage costs.
The skill is designed to make external HTTP API calls and can chain multiple API calls for complex Douyin analysis.
tools:\n - http ... 全量覆盖:共 285 个API ... 链式调用:复杂需求可串联多个API完成(需用户明确确认后执行)
Confirm the scope of multi-step or batch requests, especially when asking for many videos, comments, profiles, or analytics.
Search terms, Douyin links, user IDs, and other request parameters may be visible to the API provider.
The artifacts explicitly disclose that user query parameters are transmitted to the external provider.
"privacyNote": "User query parameters are sent to the configured API provider (aconfig.cn). Do not submit sensitive private information."
Avoid submitting private, confidential, or sensitive personal information in Douyin queries.
Recent GET response data and query parameters may remain in process memory briefly to reduce repeated API calls.
The skill includes an in-memory LRU cache for API responses and request parameters, bounded by size and TTL.
this.maxSize = options.maxSize || 100;\nthis.defaultTTL = options.defaultTTL || 5 * 60 * 1000;\nthis.cache = new Map();
Do not submit sensitive private information; clear or restart the runtime if you need to flush cached results.
Publisher provenance is less clear than it would be for a fully verified source.
The registry metadata does not identify a verified source for the package, although a homepage and repository are listed elsewhere.
Source: unknown
Verify the publisher, homepage, repository, and API provider before installing or supplying an API key.