maxhub-instagram
PassAudited by VirusTotal on May 13, 2026.
Overview
Package: maxhub-instagram (xpi) Version: Description: The package is a structured 'Skill' for Instagram data collection, designed to interface with the MaxHub API (aconfig.cn). The source code implements a sophisticated middleware layer including LRU caching, request deduplication, performance monitoring, and a decision engine to optimize API calls based on cost and latency. It uses standard fetch calls to its designated backend and handles authentication via a user-provided API key stored in environment variables. There is no evidence of shell execution, unauthorized secret exfiltration, or dynamic payload execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may run in more situations than expected, potentially sending non-Instagram search terms to the provider and using API quota or balance.
The trigger includes generic image/story terms as well as Instagram-specific terms, so the agent could invoke a paid external Instagram API for requests that only mention pictures or stories.
trigger: "instagram|ins|图片|reel|story|ins搜索"
Invoke it only for Instagram-related requests, and consider tightening the trigger to Instagram-specific wording if you manage the skill configuration.
Your MaxHub API key is used to access the provider service, and requests may affect quota or billing.
The skill authenticates requests to the configured API provider using the local MAXHUB_API_KEY and sends user query parameters in API requests.
const headers = { [AUTH_HEADER]: resolveCredential(), 'Content-Type': 'application/json' }; ... const fullUrl = query ? `${url}?${query}` : url; ... fetch(fullUrl, options)Use a dedicated, revocable API key if possible, monitor usage and balance, and do not install unless you trust aconfig.cn/MaxHub with these requests.
Recent Instagram lookup results may be reused from memory for a short period, which improves cost/performance but can return stale data or retain sensitive-looking query results temporarily.
The API optimization layer caches recent API responses for up to three minutes, which can temporarily retain query-associated results in memory.
cache: { maxSize: 50, defaultTTL: 3 * 60 * 1000 }Avoid submitting private or sensitive search terms, and restart or clear the runtime if you need to ensure cached results are discarded.