maxhub-youtube
PassAudited by ClawScan on May 13, 2026.
Overview
This appears to be a coherent YouTube data collection skill that uses a MaxHub API key and sends YouTube-related queries to aconfig.cn, with no artifact-backed evidence of malicious behavior.
Before installing, confirm that you trust MaxHub/aconfig.cn with YouTube-related queries and with your MAXHUB_API_KEY. Monitor API costs, avoid private search terms, and be cautious with large batch collection or channel-email lookups. The supplied artifact text omitted some files, so this review is based only on the visible contents.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your YouTube search terms, video IDs, channel IDs, and similar parameters are sent to aconfig.cn, and repeated calls may consume paid API balance.
The skill makes HTTP requests to the configured MaxHub provider for YouTube data. This is central to the stated purpose, but users should know queries leave the local environment and API calls may incur cost.
const BASE_URL = config.apiBase.url; ... const response = await fetch(fullUrl, options);
Use it only with a MaxHub account you trust, avoid sending private search terms, and review cost/batch settings before large data collection.
The skill can make authenticated requests against your MaxHub account and may consume that account's quota or balance.
The code reads MAXHUB_API_KEY from the environment and uses it in the provider authentication header. This is expected for the integration and no hardcoded credential or unrelated credential use is shown.
const AUTH_HEADER = config.apiBase.authHeader; ... [AUTH_HEADER]: resolveCredential(),
Provide a scoped/replaceable API key if available, monitor MaxHub usage, and revoke or rotate the key if you stop using the skill.
Recent query parameters and API results may remain in the running process briefly, which could matter in shared or long-lived agent environments.
The skill caches GET responses in memory keyed by API path and request parameters. The cache appears bounded by size and TTL and is purpose-aligned for reducing repeated API calls.
this.cache = new Map(); ... cache.set(path, params, result, ttlOverride || undefined);
Avoid entering sensitive private terms and clear/restart the agent runtime if you need to remove cached results.
If invoked, the skill may retrieve contact-style data and spend more per call than most other endpoints.
The API registry includes a channel-email endpoint with a higher per-call price. This fits broad channel data collection but is not prominently described in the visible SKILL.md feature list.
getChannelEmail: { path: '/web/get_channel_email', price: 0.30 }Ask for confirmation before using channel-email lookup and make sure such collection complies with your privacy and platform-use expectations.