maxhub-lemon8
PassAudited by ClawScan on May 13, 2026.
Overview
The provided files are coherent with a Lemon8 data-collection skill, but it uses a MaxHub API key, sends queries to a third-party API, and has minor provenance/version inconsistencies to review.
This looks benign for its stated purpose. Before installing, use a dedicated MaxHub API key, avoid sending private information in Lemon8 queries, confirm any bulk or chained collection requests, and review the final installed package for the omitted files and version consistency.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill gives it access to a MaxHub API key, which may allow paid API calls against the user's MaxHub account.
The skill is configured to use the MAXHUB_API_KEY environment variable as an authentication header for the MaxHub API provider.
"url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY"
Use a dedicated/revocable API key with limited balance or quota, and monitor MaxHub usage.
Search terms, share text, IDs, or other query parameters may be visible to the provider.
The skill explicitly discloses that user query parameters are sent to the external MaxHub/aconfig.cn service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务 ... 请勿提交涉及个人隐私的敏感信息
Avoid submitting sensitive personal information, private account data, or confidential business queries.
Broad or chained requests may consume API quota or balance faster than a single search.
The skill supports multi-step and batch API usage, which can increase the number of external provider calls; the artifact also includes user-confirmation guidance.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行) ... 批量操作(>10条)前会提示预计调用次数
Confirm expected call counts and cost before allowing bulk or multi-step data collection.
Version mismatch can make it harder to verify exactly which release is installed or documented.
The artifact shows inconsistent version strings, which is a provenance/maintenance quality note rather than evidence of malicious behavior.
version: 1.1.1 ... 版本:v1.0.11
Prefer a package with consistent registry, manifest, and documentation versions, or verify the publisher/repository before relying on it.