maxhub-zhihu
PassAudited by VirusTotal on May 13, 2026.
Overview
Package: maxhub-zhihu (xpi) Version: Description: The package is a data collection and analysis 'Skill' for the MaxHub platform, specifically designed to interface with Zhihu. The code implements a robust request optimization layer featuring LRU caching, request deduplication, and a decision engine that selects API endpoints based on cost, latency, and data completeness. It uses the standard 'fetch' API to communicate with a centralized backend (aconfig.cn) and retrieves its authorization token from a designated environment variable (MAXHUB_API_KEY). No evidence of malicious behavior such as unauthorized secret exfiltration, execution of child processes, or dynamic payload loading was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your MaxHub API key will be used to make requests to the MaxHub provider and may incur account usage or cost.
The skill reads MAXHUB_API_KEY from the environment and sends it as the configured API authentication header.
const AUTH_HEADER = config.apiBase.authHeader; const AUTH_ENV_NAME = config.apiBase.authEnvVar; ... [AUTH_HEADER]: resolveCredential()
Use a dedicated MaxHub API key if possible, keep it secret, monitor account usage, and revoke it if you uninstall or stop using the skill.
Search terms, Zhihu IDs, and similar query parameters are sent to aconfig.cn to retrieve results.
The skill is designed to call an external provider API for Zhihu data using user-supplied query parameters.
"apiBase": { "url": "https://www.aconfig.cn", "authHeader": "x-api-key", "authEnvVar": "MAXHUB_API_KEY", "prefix": "/api/v1/zhihu" }Only use the skill if you trust the MaxHub/aconfig.cn provider, and avoid submitting private or sensitive information as search parameters.
Recent query parameters and API results may remain in memory during the session to reduce repeated calls.
The skill caches API responses and cache keys derived from request parameters in process memory for a limited time.
this.cache = new Map(); ... return `${path}?${sortedParams}`; ... this.cache.set(key, { data, expireAt: Date.now() + (ttl || this.defaultTTL) })Avoid sensitive queries and restart/clear the runtime if you need to ensure cached results are gone.