maxhub-pipixia
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-pipixia Version: 1.1.2 The skill bundle is a well-architected tool for collecting data from the PiPiXia social media platform via the MaxHub API (aconfig.cn). It includes sophisticated but legitimate logic for request deduplication, LRU caching, and a decision engine to optimize API calls based on cost and latency. The code correctly handles sensitive credentials by reading the MAXHUB_API_KEY from environment variables and only transmitting it to the designated API endpoint. No evidence of malicious intent, prompt injection attacks, or unauthorized data exfiltration was found across the core logic (index.ts, service/api.js) or the agent instructions (SKILL.md, system.prompt.md).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting the MaxHub/aconfig.cn service with the API key and any account billing associated with API calls.
The skill uses a provider API key from the environment and sends it as an authentication header to the declared MaxHub provider.
"apiBase": { "url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY" }Use a revocable or scoped API key if available, monitor usage/balance, and remove the key if you no longer use the skill.
Search terms, user IDs, item IDs, or URLs supplied to the skill may be sent to a third-party API service.
The documentation discloses that user query parameters are transmitted to the external API provider.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Do not submit private or sensitive information as search/query parameters unless you are comfortable sharing it with the provider.
Complex or batch requests may consume paid API quota through multiple calls.
The skill can perform multiple API calls for complex requests, which can increase cost or data sharing, but the documentation says explicit confirmation is needed.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行)
Review and confirm chained or bulk requests, especially when requesting more than the default number of results.