maxhub-sora2
PassAudited by ClawScan on May 13, 2026.
Overview
The provided artifacts show a coherent Sora2/MaxHub browsing skill that uses your MaxHub API key and sends requested queries to aconfig.cn.
Install only if you trust MaxHub/aconfig.cn with your API key and Sora2 queries. Avoid submitting private information, watch paid API usage, and explicitly approve any chained, batch, upload, or generation actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these endpoints are invoked, they may spend API quota or send supplied data to the provider.
The exported API registry includes paid POST endpoints in addition to browsing endpoints. They are provider-scoped and not shown as automatically invoked by the router, but users should notice the broader callable surface.
uploadImage: { path: '/upload_image', method: 'POST', price: 0.01 }, ... createVideo: { path: '/create_video', method: 'POST', price: 0.02 }Approve only calls that match your request, and require explicit confirmation for chain, batch, POST, upload, or generation actions.
The provider receives the API key for authentication, and misuse of the key could consume account quota or access the provider account.
The skill reads MAXHUB_API_KEY from the environment and sends it as the configured authentication header for MaxHub API requests, which is expected for this integration.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential()
Use a revocable, least-privilege API key where possible and rotate it if you stop using the skill.
Sensitive search terms or returned data could remain in memory during the session.
GET API responses are cached in process memory using request parameters as part of the cache key. This is scoped and temporary, but query/result data may remain available within the running process until expiry or eviction.
this.cache = new Map(); ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Do not include private secrets in Sora2 search parameters, and clear/restart the session if sensitive data was queried accidentally.