maxhub-xigua
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The key can authorize paid API calls and may consume the user’s MaxHub quota or balance.
The skill uses a MaxHub API key as the authentication header for the configured provider endpoint. This is purpose-aligned and disclosed, with no visible logging, hardcoding, or unrelated credential use.
"url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY"
Use a dedicated, revocable MaxHub API key, monitor usage/billing, and revoke the key if you stop using the skill.
Search keywords, video IDs, user IDs, or similar query inputs may be visible to the API provider.
The artifact clearly discloses that user query parameters are sent to the external MaxHub/aconfig.cn service.
本Skill通过MaxHub API(aconfig.cn)获取数据,用户查询参数将发送至该服务
Avoid entering private or sensitive personal information in queries, and review the provider’s privacy and billing terms.
Bulk or chained requests can consume API quota or incur fees more quickly than a single lookup.
The skill supports chained or repeated API calls, which is expected for data collection but can increase provider calls and cost. The artifacts describe quantity controls.
先获取创作者视频列表,再对每条视频调用详情API(注意控制数量,默认最多10条)
Confirm batch sizes before running multi-step requests and ask for a cost estimate when collecting many records.
It may be harder to confirm exactly which release is installed or compare it with the publisher’s repository.
The skill file contains differing version values, and the supplied registry metadata lists another version. This is a provenance and packaging hygiene issue, not evidence of malicious behavior.
version: 1.2.1 ... 版本:v1.1.9
Verify the package source, publisher, and release version before relying on it in sensitive workflows.