maxhub-xigua
PassAudited by ClawScan on May 13, 2026.
Overview
The visible artifacts show a coherent Xigua/MaxHub data-query skill, with the main considerations being API-key use, external query sharing, and possible API costs.
This appears reasonable to use if you are comfortable with MaxHub/aconfig.cn receiving your query terms and with possible API charges. Use a dedicated API key, avoid sensitive queries, confirm bulk collection requests, and verify the publisher/version because the artifacts show version mismatches.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The key can authorize paid API calls and may consume the user’s MaxHub quota or balance.
The skill uses a MaxHub API key as the authentication header for the configured provider endpoint. This is purpose-aligned and disclosed, with no visible logging, hardcoding, or unrelated credential use.
"url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY"
Use a dedicated, revocable MaxHub API key, monitor usage/billing, and revoke the key if you stop using the skill.
Search keywords, video IDs, user IDs, or similar query inputs may be visible to the API provider.
The artifact clearly discloses that user query parameters are sent to the external MaxHub/aconfig.cn service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid entering private or sensitive personal information in queries, and review the provider’s privacy and billing terms.
Bulk or chained requests can consume API quota or incur fees more quickly than a single lookup.
The skill supports chained or repeated API calls, which is expected for data collection but can increase provider calls and cost. The artifacts describe quantity controls.
先获取创作者视频列表,再对每条视频调用详情API(注意控制数量,默认最多10条)
Confirm batch sizes before running multi-step requests and ask for a cost estimate when collecting many records.
It may be harder to confirm exactly which release is installed or compare it with the publisher’s repository.
The skill file contains differing version values, and the supplied registry metadata lists another version. This is a provenance and packaging hygiene issue, not evidence of malicious behavior.
version: 1.2.1 ... 版本:v1.1.9
Verify the package source, publisher, and release version before relying on it in sensitive workflows.