maxhub-toutiao
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a purpose-aligned Toutiao/MaxHub data API skill, but it needs your MaxHub API key and sends your query parameters to aconfig.cn, which may incur API costs.
Install if you are comfortable using MaxHub/aconfig.cn for Toutiao data retrieval. Configure only the needed API key, avoid sensitive query content, watch for API charges or quota use, and verify the package version/repository because the supplied metadata versions do not all match.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may have a harder time confirming exactly which release you are installing.
The SKILL.md contains version values that differ from the registry version 1.1.2 and config/package version 1.0.9. This is a packaging/provenance inconsistency, not evidence of malicious behavior.
version: 1.1.1 ... 版本:v1.0.9
Verify the package version and repository before installing, especially if you depend on a specific release.
Anyone using the skill is allowing it to make account-backed MaxHub API calls, which may consume quota or balance.
The skill reads MAXHUB_API_KEY from the environment and sends it as the configured authentication header to the MaxHub API provider.
return env[AUTH_ENV_NAME] || ''; ... [AUTH_HEADER]: resolveCredential()
Use a scoped API key if available, monitor MaxHub usage/costs, and do not share the key in prompts or files.
Search terms, Toutiao IDs, links, or other query parameters you provide may be visible to the API provider.
The skill explicitly discloses that user query parameters are sent to the external MaxHub service at aconfig.cn.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid sending private, confidential, or sensitive personal information in queries.
Recent API results and query-derived keys can remain available within the running session, although the reviewed code does not show disk persistence.
API responses and parameter-derived cache keys are stored in an in-memory LRU cache for reuse until TTL or eviction.
this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL), createdAt: Date.now() })Treat cached results as session-local data and avoid submitting sensitive queries.