maxhub-hybrid
PassAudited by ClawScan on May 13, 2026.
Overview
The reviewed artifacts match a MaxHub URL-parsing skill and show no malicious behavior, but using it sends supplied URLs to aconfig.cn with your MaxHub API key.
Use this skill only if you trust MaxHub/aconfig.cn with the URLs you submit. Configure a dedicated API key, monitor account usage, avoid private or token-containing links, and verify the release/version because the provided artifacts have inconsistent version labels.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to confirm exactly which release is installed or reviewed.
The supplied artifacts contain inconsistent version labels, while the registry metadata lists version 1.1.2; this is a provenance/release-tracking note rather than evidence of malicious behavior.
version: 1.1.1 ... 版本:v1.0.11
Verify the publisher, homepage/repository, and file contents before relying on the skill in sensitive workflows.
Your MaxHub account key can be used for API calls and billing when the skill is invoked.
The code reads the configured environment variable, MAXHUB_API_KEY, and attaches it as the x-api-key header for MaxHub provider requests.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential(),
Use a dedicated MaxHub API key with appropriate limits, monitor usage/balance, and rotate the key if you no longer trust the environment.
The provider may receive URLs or query parameters you ask the skill to parse, including any private tokens embedded in those URLs.
The skill explicitly discloses that user query parameters are sent to the external MaxHub/aconfig.cn API service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting private, internal, or token-bearing URLs unless you trust the provider and understand its data handling.
Recently parsed URLs and returned data may remain in the running process briefly and be reused for repeated requests.
The skill stores recent GET responses and parameter-derived cache keys in an in-memory cache with TTL/capacity limits.
this.cache = new Map(); ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Do not parse sensitive links; restart or clear the runtime if you need to discard cached results.