Back to skill

Security audit

Maxhub Toutiao

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Toutiao data lookup skill that sends user-provided IDs and links to MaxHub, with some documentation inconsistencies but no evidence of hidden, destructive, or deceptive behavior.

Install only if you are comfortable sending Toutiao IDs, profile URLs, keywords, and your MaxHub API key to https://www.aconfig.cn. Treat the advertised search/hot/recommendation features as unsupported until the publisher fixes the documentation, and avoid providing production cookies or sensitive account tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The manifest advertises broader capabilities than the documented implementation actually provides, including search, hot lists, recommendations, and media-account queries. This mismatch can mislead an agent into selecting unsupported workflows, increasing the chance of incorrect endpoint assumptions, over-collection attempts, or unsafe fallback behavior when interacting with a third-party data API.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The example tells the agent to extract `$.data.bvid`, which is inconsistent with the Toutiao-specific identifiers used elsewhere (`group_id`, `aweme_id`, `user_id`). In an agentic toolchain, a wrong field-flow example can cause parameter confusion, failed calls, or accidental cross-skill/cross-platform data routing that undermines the skill's safety constraints against parameter invention.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file’s out-of-scope list says search, feed recommendations, and hot榜 are unsupported, while the skill metadata explicitly advertises those capabilities and instructs the agent to route those intents. This inconsistency can cause the agent to deny legitimate requests, choose the wrong workflow, or stop early, undermining security guardrails that depend on accurate capability boundaries and increasing the chance of unsafe fallback behavior elsewhere in the skill.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This is a concrete contradiction: the reference file forbids search, but the manifest tells the agent to match search intents and pass parameters for search flows. Contradictory routing instructions are dangerous in an agent skill because they make tool-selection logic unreliable and can lead to hallucinated endpoints, unnecessary user-facing failures, or bypass of intended policy controls during error handling.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs agents to send user-related identifiers and profile URLs to an external service using a bearer-authenticated API, but it does not warn that user data will leave the local environment or require user confirmation. In a skill focused on user lookup and profiling, this can lead to unintended disclosure of personal or behavioral data to a third-party endpoint, especially when agents chain requests automatically from article or profile inputs.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.