maxhub-twitter
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-twitter Version: 1.1.2 The maxhub-twitter skill bundle is a well-engineered tool for Twitter/X data collection and analysis via the MaxHub API (aconfig.cn). It features a sophisticated architecture including an LRU cache (shared/cache.js), a decision engine for cost/latency optimization (shared/decision.js), and performance monitoring (shared/monitor.js). The code follows standard security practices, such as using environment variables for API keys and providing clear privacy disclosures regarding data transmission to the service provider. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the logic is entirely consistent with the stated purpose of social media data retrieval.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill authorizes requests against the configured MaxHub account, which may consume quota or balance.
The skill reads the configured MaxHub API key from the environment and sends it as an authentication header for provider API calls.
const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... return env[AUTH_ENV_NAME] || ''; ... [AUTH_HEADER]: resolveCredential(),
Use a dedicated MaxHub API key if possible, keep it out of chat messages, set account limits where available, and monitor usage.
Search keywords, usernames, tweet IDs, or other query terms may be visible to the provider service.
The documentation discloses that user query parameters are sent to the external MaxHub provider.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid submitting private, confidential, or sensitive personal information as Twitter/X search terms or identifiers.
Large or chained requests could spend API balance or make more external calls than a simple lookup.
The skill supports multi-step and batch API calls that can consume paid provider calls, while the documentation says confirmation and cost prompts should be used.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行) ... 批量操作(>10条)前会提示预计调用次数,请注意账户余额
Confirm bulk or chained requests only when you want them, and check any cost estimate before proceeding.
Recent query parameters and returned Twitter/X data may remain in the skill runtime cache for a short period.
API responses are cached in memory using a key derived from request parameters; this is bounded and purpose-aligned, but it temporarily retains query-related data.
this.cache = new Map(); ... map(k => `${k}=${params[k]}`) ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Do not use sensitive query terms, and clear or restart the runtime if you need to remove cached session data.
The provided evidence does not show malicious behavior, but the review cannot fully verify omitted runtime or prompt files.
These runtime helper modules are imported, but the supplied artifact excerpt omits some referenced files, so their behavior cannot be fully reviewed here.
const { RequestDeduplicator, RequestBatcher, RedundancyFilter, createOptimizer } = require('./optimizer'); ... const pricingService = require('./pricing-service');Install only from a trusted ClawHub/repository source and review the complete package contents if possible.