maxhub-zhihu
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your MaxHub API key will be used to make requests to the MaxHub provider and may incur account usage or cost.
The skill reads MAXHUB_API_KEY from the environment and sends it as the configured API authentication header.
const AUTH_HEADER = config.apiBase.authHeader; const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential()
Use a dedicated MaxHub API key if possible, keep it secret, monitor account usage, and revoke it if you uninstall or stop using the skill.
Search terms, Zhihu IDs, and similar query parameters are sent to aconfig.cn to retrieve results.
The skill is designed to call an external provider API for Zhihu data using user-supplied query parameters.
"apiBase": { "url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY", "prefix": "/api/v1/zhihu" }Only use the skill if you trust the MaxHub/aconfig.cn provider, and avoid submitting private or sensitive information as search parameters.
Recent query parameters and API results may remain in memory during the session to reduce repeated calls.
The skill caches API responses and cache keys derived from request parameters in process memory for a limited time.
this.cache = new Map(); ... return `${path}?${sortedParams}`; ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Avoid sensitive queries and restart/clear the runtime if you need to ensure cached results are gone.