ClawHub

Maxhub Xigua

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal API-backed Xigua video data helper, with privacy caveats around sending queries and using a MaxHub API key.

Install only if you are comfortable configuring a MaxHub API key and sending Xigua lookup terms, IDs, and related request parameters to aconfig.cn. Avoid entering secrets, private personal information, or proprietary data in queries, and invoke the skill explicitly when you want Xigua data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example trigger words are extremely broad ('视频,用户') and overlap with common conversational terms, which can cause the skill to be invoked unintentionally during normal discussion. In an agent environment, accidental invocation may lead to unnecessary external API calls, data retrieval, or context switching that the user did not explicitly intend.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs sending user-provided query data to a third-party API using an authenticated request, but it does not clearly warn users that their prompts/search terms may be transmitted off-platform. This creates a privacy and consent risk, especially if users include sensitive personal, proprietary, or regulated data in queries.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation exposes user-info and user-post-list endpoints without any guidance on privacy, lawful basis, retention, or handling of personal data. In a skill centered on querying video and user data, this omission can encourage downstream misuse or over-collection of personal information even if the API itself is functioning as designed.

External Transmission

Medium
Category
Data Exfiltration
Content
maxhub_auth_header="Authorization: Bearer ${MAXHUB_API_KEY}"

# GET example
curl -s "https://www.aconfig.cn/api/v1/xigua/{endpoint}?{params}" \
  -H "$maxhub_auth_header"

# POST example
Confidence
94% confidence
Finding
curl -s "https://www.aconfig.cn/api/v1/xigua/{endpoint}?{params}" \ -H "$maxhub_auth_header" # POST example curl -s -X POST "https://www.aconfig.cn/api/v1/xigua/{endpoint}" \ -H "$maxhub_auth_hea

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal