maxhub-xiaohongshu
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maxhub-xiaohongshu Version: 1.1.2 The skill bundle is a legitimate tool for collecting and analyzing Xiaohongshu (Red) social media data via the MaxHub API service (aconfig.cn). It features a robust architecture including an LRU cache (shared/cache.js), request deduplication (shared/optimizer.js), and a cost-aware decision engine (shared/decision.js) to optimize API usage. The code correctly handles the MAXHUB_API_KEY environment variable and contains no evidence of data exfiltration, unauthorized execution, or malicious prompt injection; all instructions in SKILL.md and system.prompt.md are aligned with the stated purpose of data analysis.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the configured MaxHub account and may incur usage charges or expose queries to that provider.
The skill authenticates to the MaxHub provider using the user's MAXHUB_API_KEY, which is expected for the stated API service but is still a sensitive credential.
"apiBase": { "url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY" }Use a dedicated or scoped MaxHub API key if available, monitor usage and balance, and revoke the key if you stop using the skill.
Complex requests may trigger multiple API calls, increasing cost and sending more query context to the provider.
The skill can chain multiple provider API calls for complex requests; the artifact discloses this and says explicit user confirmation is required.
链式调用:复杂需求可串联多个API完成(需用户明确确认后执行)
Review and confirm multi-step or batch requests, especially if they involve many notes, users, comments, or pages.