maxhub-reddit
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-reddit Version: 1.1.2 The maxhub-reddit skill bundle is a well-structured tool designed to interface with the Reddit data collection API provided by MaxHub (aconfig.cn). The code implements standard API wrapper patterns, including environment variable retrieval for the API key (MAXHUB_API_KEY), request routing, and data formatting. It features a sophisticated but non-malicious 'optimization layer' in the shared/ directory that handles caching, request deduplication, and cost monitoring. No evidence of data exfiltration, unauthorized execution, or prompt injection was found; all network activity is directed to the stated service endpoint (https://www.aconfig.cn).
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your MaxHub API key will be used to make provider requests and may affect your MaxHub quota or billing.
The skill reads the configured MaxHub API key from the environment and sends it as the provider authentication header. This is expected for the declared MaxHub integration, but it is still account-level credential use.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential()
Use a dedicated MaxHub API key with appropriate limits, monitor usage, and revoke or rotate the key if you stop using the skill.
Search terms, subreddit names, post IDs, usernames, and similar parameters may be visible to the MaxHub API provider.
The skill discloses that user query parameters are sent to the external MaxHub provider. This is purpose-aligned, but it is a privacy-relevant data flow.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Do not submit private or sensitive information as query parameters, and review the provider’s privacy and retention practices if that matters for your use case.
Large or chained Reddit data requests can consume more API calls and potentially incur provider costs.
The skill supports chained and batch-style workflows that can make multiple paid API calls. The documentation includes user-confirmation guidance, which makes this purpose-aligned rather than suspicious.
批量获取详情时默认最多10条,需用户确认才能更多
Confirm bulk or chained requests before running them, keep result counts small unless needed, and check cost estimates or account balance for large data pulls.