maxhub-wechat
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your MaxHub API key could be attached to requests outside the intended API route, causing credential exposure risk or broken requests.
The code attaches the MAXHUB_API_KEY-derived x-api-key header while concatenating the configured base URL directly with paths that start with `_channels`/`_mp`. Given config.json declares `https://www.aconfig.cn` plus a separate `/api/v1/wechat` prefix, this appears to omit the intended prefix/slash and could send the key to a malformed or unintended host/path.
const url = `${BASE_URL}${path}`; ... fetchDefaultSearch: { path: '_channels/fetch_default_search', method: 'POST', price: 0.1 } ... [AUTH_HEADER]: resolveCredential()Use a scoped/rotatable API key and wait for the publisher to fix URL construction using the declared API prefix and a safe URL builder.
Search keywords, article URLs, and related query parameters may be visible to the external API provider.
The skill explicitly discloses that user query parameters are sent to the MaxHub/aconfig.cn provider.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务 ... 请勿提交涉及个人隐私的敏感信息
Avoid submitting private or sensitive information and review the provider’s privacy and billing terms before use.
Recent API results and query-derived cache keys may remain available within the same running process for a short time.
The cache stores API responses keyed by request parameters in process memory with a TTL and size limit.
return `${path}?${sortedParams}`; ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL), createdAt: Date.now() })Do not use sensitive query terms; restart or clear the session if you need to remove cached results.
Multiple API calls can consume provider quota or incur account charges.
The skill can make chained or batch provider API calls, and the documentation says confirmation/cost prompts should be used for larger operations.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行) ... 批量操作(>10条)前会提示预计调用次数
Approve chained or bulk calls explicitly and monitor the MaxHub account balance/cost reports.
It may be unclear which version’s behavior and fixes are actually installed.
The SKILL.md contains two different versions, and the supplied registry metadata lists 1.1.2 while package/config artifacts list 1.0.10.
version: 1.1.1 ... 版本:v1.0.10
The publisher should align all version fields; users should verify the intended release/source before installing.