المهارات maxhub-weibo سجل التدقيق
🐦

سجل التدقيق

maxhub-weibo - 2 عمليات التدقيق

إصدار التدقيق 2

الأحدث مخاطر منخفضة

May 20, 2026, 01:16 PM

This skill is a legitimate Weibo data query assistant that calls a third-party API (aconfig.cn) using a user-provided API key. Static analysis reported 676 potential issues, but nearly all are false positives: 'weak cryptographic algorithm' findings are markdown table separators (|---|---|), 'shell backtick execution' findings are curl examples in documentation code blocks, and 'system reconnaissance' findings are API parameter documentation. The skill is transparent about its credential usage and network calls. Low risk - publish with standard warnings about third-party API usage.

10
الملفات التي تم فحصها
2,645
الأسطر التي تم تحليلها
8
النتائج
claude
تم تدقيقه بواسطة
مشكلات متوسطة المخاطر (2)
SKILL.md:10-20SKILL.md:47-50
Third-party API credential usage
The skill reads MAXHUB_API_KEY from environment variables and sends it as a Bearer token to www.aconfig.cn for API authentication. This is intentional and documented behavior for the skill's functionality.
SKILL.md:45-61references/api-post.md:3-4references/api-search.md:3-4
External network requests via curl
The skill executes curl commands to make HTTP requests to www.aconfig.cn. All commands use hardcoded URLs and environment variable for auth. No dynamic command injection is possible as the reference files define fixed endpoints.
مشكلات منخفضة المخاطر (3)
references/api-post.md:15references/api-search.md:15references/api-user.md:21
Markdown tables flagged as weak cryptographic algorithm
Static analyzer incorrectly flagged markdown table separator rows (e.g., '|---|---|---|') as 'weak cryptographic algorithm' at 138 locations across reference files. These are standard markdown formatting, not encryption.
references/api-trending.md:17references/api-post.md:17
API parameter documentation flagged as system reconnaissance
Static analyzer flagged example parameter values and container IDs in API documentation as 'system reconnaissance'. These are legitimate documentation values like container IDs for Weibo channel categories.
README_CN.md:1references/api-post.md:1
High entropy detection on bilingual documentation
Static analyzer flagged high file entropy on files containing mixed Chinese and English text. This is expected for a bilingual skill documentation file, not obfuscation.

عوامل الخطر

🌐 الوصول إلى الشبكة (14)
_meta.json:6 _meta.json:7 README.md:23 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:45 SKILL.md:53-57 references/api-post.md:3 references/api-search.md:3 references/api-trending.md:3 references/api-user.md:3 references/api-video-feed.md:3 references/param-mappings.md:3
⚙️ الأوامر الخارجية (2)
SKILL.md:49-61 README.md:17-19
🔑 متغيرات البيئة (7)
SKILL.md:10-13 SKILL.md:17-20 SKILL.md:47-50 README.md:24 references/api-post.md:4 references/api-search.md:4 references/api-user.md:4

إصدار التدقيق 1

مخاطر منخفضة

May 9, 2026, 07:45 AM

This is a legitimate data fetching skill that provides documentation for accessing Weibo public data through the MaxHub API. Static analysis flagged 216 potential issues but evaluation confirms these are all false positives: backticks in markdown tables were misidentified as shell commands, environment variable access is intentional for API authentication, and network access is required for data retrieval. No malicious code or intent detected. The skill explicitly prohibits platform manipulation and only accesses public data.

3
الملفات التي تم فحصها
499
الأسطر التي تم تحليلها
6
النتائج
claude
تم تدقيقه بواسطة

مشكلات عالية المخاطر (2)

SKILL.md:11-12
API Credential Access via Environment Variables
The skill requires MAXHUB_API_KEY environment variable for API authentication. This is intentional and documented in the skill metadata.
SKILL.md:26-27
External Network Access via HTTPS
The skill makes HTTPS requests to the MaxHub API endpoint to fetch Weibo public data. Network access is required and documented.
مشكلات متوسطة المخاطر (1)
SKILL.md:42-44SKILL.md:75-79SKILL.md:307-311
Documentation Contains Shell Command Syntax
The skill documentation includes curl command examples with environment variable syntax (${VAR}) showing how to make API requests. These are documentation examples, not executable code.
مشكلات منخفضة المخاطر (1)
Static Analysis Pattern False Positives
The static analyzer flagged 216 potential security issues (157 external_commands, 13 env_access, 5 network, plus blockers/obfuscation). Manual evaluation confirms all are false positives: markdown backticks misidentified as shell commands, legitimate environment access, and documentation formatting misinterpreted as code.

عوامل الخطر

🌐 الوصول إلى الشبكة (5)
SKILL.md:26 SKILL.md:27 SKILL.md:46 SKILL.md:67 SKILL.md:86
🔑 متغيرات البيئة (13)
SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:43 SKILL.md:69 SKILL.md:78 SKILL.md:85 SKILL.md:92 SKILL.md:309 SKILL.md:318 SKILL.md:325 SKILL.md:334 SKILL.md:341
← العودة إلى المهارة