maxhub-twitter
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a purpose-aligned Twitter/X data lookup skill, but it uses your MaxHub API key and sends query data to aconfig.cn.
This skill looks coherent for Twitter/X data collection through MaxHub. Before installing, make sure you trust aconfig.cn/MaxHub, use a dedicated API key with spending controls if possible, avoid sensitive search terms, and approve any bulk or chained requests deliberately.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill authorizes requests against the configured MaxHub account, which may consume quota or balance.
The skill reads the configured MaxHub API key from the environment and sends it as an authentication header for provider API calls.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... return env[AUTH_ENV_NAME] || ''; ... [AUTH_HEADER]: resolveCredential(),
Use a dedicated MaxHub API key if possible, keep it out of chat messages, set account limits where available, and monitor usage.
Search keywords, usernames, tweet IDs, or other query terms may be visible to the provider service.
The documentation discloses that user query parameters are sent to the external MaxHub provider.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting private, confidential, or sensitive personal information as Twitter/X search terms or identifiers.
Large or chained requests could spend API balance or make more external calls than a simple lookup.
The skill supports multi-step and batch API calls that can consume paid provider calls, while the documentation says confirmation and cost prompts should be used.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行) ... 批量操作(>10条)前会提示预计调用次数,请注意账户余额
Confirm bulk or chained requests only when you want them, and check any cost estimate before proceeding.
Recent query parameters and returned Twitter/X data may remain in the skill runtime cache for a short period.
API responses are cached in memory using a key derived from request parameters; this is bounded and purpose-aligned, but it temporarily retains query-related data.
this.cache = new Map(); ... map(k => `${k}=${params[k]}`) ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Do not use sensitive query terms, and clear or restart the runtime if you need to remove cached session data.
The provided evidence does not show malicious behavior, but the review cannot fully verify omitted runtime or prompt files.
These runtime helper modules are imported, but the supplied artifact excerpt omits some referenced files, so their behavior cannot be fully reviewed here.
const { RequestDeduplicator, RequestBatcher, RedundancyFilter, createOptimizer } = require('./optimizer'); ... const pricingService = require('./pricing-service');Install only from a trusted ClawHub/repository source and review the complete package contents if possible.