maxhub-tiktok
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user supplies a TikTok cookie, the skill may be able to use account/session authority beyond ordinary public TikTok searches.
This declares an optional TikTok cookie credential in addition to MAXHUB_API_KEY. A TikTok cookie can represent a user session/account, but the user-facing SKILL.md parameter and privacy sections only clearly describe MAXHUB_API_KEY and query parameters.
"optionalEnvVars": [
"TIKTOK_COOKIE"
]Do not provide TIKTOK_COOKIE unless the publisher clearly documents why it is needed, which endpoints use it, where it is sent, and how to avoid accessing private account data.
Search terms, TikTok identifiers, URLs, and similar request parameters may be visible to the external API provider.
The documentation clearly states that user query parameters are sent to the external MaxHub/aconfig.cn service. This is expected for the skill's purpose, but it is still an external data flow.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting sensitive private information in prompts or API parameters, and review the provider's privacy and billing terms.
Recently requested TikTok data or query parameters may be reused from memory during the same runtime.
The skill includes an in-memory LRU cache for API responses with a default 5-minute TTL and 100-entry cap. This is bounded and purpose-aligned, but request/response data can remain in process memory temporarily.
this.maxSize = options.maxSize || 100; this.defaultTTL = options.defaultTTL || 5 * 60 * 1000; this.cache = new Map();
Do not use sensitive search terms or session data with this skill; the publisher should ensure credentials such as cookies are never included in cache keys or cached responses.
Complex or batch requests may result in multiple API calls and account charges.
The skill can chain multiple external API calls, which can consume paid API quota. The documentation says explicit user confirmation is required, which makes the behavior purpose-aligned but worth noticing.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行)
Confirm expected call counts and costs before allowing large chained or batch requests.