maxhub-hybrid
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-hybrid Version: 1.1.2 The skill bundle provides a legitimate interface for a multi-platform video and URL parsing service hosted at aconfig.cn. The code is well-structured and includes comprehensive features for API cost monitoring, LRU caching, and request deduplication to optimize performance and minimize user costs. It correctly handles the MAXHUB_API_KEY environment variable and includes restrictive system prompts that instruct the AI agent to prioritize data privacy and user confirmation for billable actions. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found across the analyzed files (index.ts, service/api.js, and system.prompt.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It may be harder to confirm exactly which release is installed or reviewed.
The supplied artifacts contain inconsistent version labels, while the registry metadata lists version 1.1.2; this is a provenance/release-tracking note rather than evidence of malicious behavior.
version: 1.1.1 ... 版本:v1.0.11
Verify the publisher, homepage/repository, and file contents before relying on the skill in sensitive workflows.
Your MaxHub account key can be used for API calls and billing when the skill is invoked.
The code reads the configured environment variable, MAXHUB_API_KEY, and attaches it as the x-api-key header for MaxHub provider requests.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential(),
Use a dedicated MaxHub API key with appropriate limits, monitor usage/balance, and rotate the key if you no longer trust the environment.
The provider may receive URLs or query parameters you ask the skill to parse, including any private tokens embedded in those URLs.
The skill explicitly discloses that user query parameters are sent to the external MaxHub/aconfig.cn API service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting private, internal, or token-bearing URLs unless you trust the provider and understand its data handling.
Recently parsed URLs and returned data may remain in the running process briefly and be reused for repeated requests.
The skill stores recent GET responses and parameter-derived cache keys in an in-memory cache with TTL/capacity limits.
this.cache = new Map(); ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Do not parse sensitive links; restart or clear the runtime if you need to discard cached results.