maxhub-threads
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-threads Version: 1.1.2 The skill bundle is a well-structured tool for collecting Threads data via the MaxHub API (aconfig.cn). It includes sophisticated but legitimate features for request deduplication, LRU caching, and a decision engine to optimize API costs and latency. Analysis of the code (index.ts, service/api.js) and instructions (SKILL.md, system.prompt.md) reveals no evidence of data exfiltration, malicious execution, or harmful prompt injection; all network activity is directed to the stated service provider and is consistent with the tool's purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill lets the agent use your MaxHub API key and potentially consume account quota or balance.
The skill reads the configured environment credential and attaches it to outgoing provider API requests. This is expected for MaxHub access, but it is still a paid/service credential boundary.
const AUTH_HEADER = config.apiBase.authHeader; const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential()
Use a dedicated MaxHub key with limited balance or quota if available, and revoke/rotate it if you stop using the skill.
Search terms, usernames, post IDs, or URLs you ask about may be shared with the external API provider.
The artifact clearly discloses that user query parameters are sent to the MaxHub/aconfig.cn service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting sensitive personal or private information as query terms, and install only if you trust the provider.
Large or chained collection tasks can make multiple API calls and consume paid quota.
The skill can support chained or batch API collection and acknowledges account-balance impact; the documentation says confirmation/cost prompts should occur.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行) ... 批量操作(>10条)前会提示预计调用次数,请注意账户余额
Require the agent to show the planned number of calls and estimated cost before approving batch or chained requests.
Version drift can make it harder to confirm exactly which release you are installing or auditing.
The SKILL.md itself contains inconsistent version indicators, and the supplied registry metadata lists another version. This is a provenance/maintenance signal rather than evidence of malicious behavior.
version: 1.1.1 ... 版本:v1.0.9
Verify the publisher, repository, and release version before relying on the skill in a sensitive workflow.