المهارات maxhub-xigua سجل التدقيق
📦

سجل التدقيق

maxhub-xigua - 2 عمليات التدقيق

إصدار التدقيق 2

الأحدث مخاطر متوسطة

May 20, 2026, 01:20 PM

This skill is a legitimate API client for Xigua Video data via the MaxHub service. Static analysis found 133 potential issues, but the vast majority are false positives from documentation files (READMEs, reference docs) where shell commands appear in markdown code blocks and URLs point to the legitimate service endpoint at www.aconfig.cn. The genuine risk is MEDIUM: the skill instructs the AI agent to execute curl commands with an API key environment variable (MAXHUB_API_KEY). While this is normal for an API client, the combination of shell execution, network access, and credential usage creates a real attack surface if the AI is manipulated via prompt injection. No malicious intent, obfuscation, or data exfiltration patterns were found.

6
الملفات التي تم فحصها
506
الأسطر التي تم تحليلها
9
النتائج
claude
تم تدقيقه بواسطة
مشكلات متوسطة المخاطر (1)
SKILL.md:45-61SKILL.md:67-69SKILL.md:80-92
Shell command execution via curl with API credentials
SKILL.md instructs the AI agent to execute curl commands using the MAXHUB_API_KEY environment variable for API authentication (SKILL.md:45-61, 67-69, 80-92). This is the intended behavior for an API client, but the combination of shell execution with credential access creates a prompt injection attack surface where a manipulated AI could be redirected to exfiltrate the API key to a different endpoint.
مشكلات منخفضة المخاطر (5)
_meta.json:6-7README.md:19README.md:32README.md:36README_CN.md:19README_CN.md:32README_CN.md:36SKILL.md:18SKILL.md:22SKILL.md:30SKILL.md:32SKILL.md:45SKILL.md:53SKILL.md:57SKILL.md:77SKILL.md:88
Hardcoded URLs in documentation files
Multiple files contain hardcoded URLs pointing to www.aconfig.cn, the legitimate MaxHub API service. These are FALSE POSITIVES - the URLs are the intended API endpoint and documentation references, not suspicious destinations.
README_CN.md:13-15README_CN.md:20README.md:13-15README.md:20references/api-video-user.md:3-4references/param-mappings.md:3-40
Shell command patterns in documentation files
README.md, README_CN.md, and reference documentation files contain shell command patterns (backtick usage in markdown code blocks). These are FALSE POSITIVES - the commands appear in documentation code blocks for human readers, not as executable instructions for the AI agent. The backticks are markdown formatting for code examples showing install and setup steps.
references/api-video-user.md:15references/api-video-user.md:23references/api-video-user.md:41references/api-video-user.md:49references/api-video-user.md:66references/api-video-user.md:74references/api-video-user.md:92references/api-video-user.md:100references/api-video-user.md:117references/api-video-user.md:126references/api-video-user.md:146references/api-video-user.md:156references/api-video-user.md:175references/api-video-user.md:187
Weak cryptographic algorithm reference (Base64)
Static analyzer flagged 'Base64 encoding' in API documentation as a weak cryptographic algorithm (references/api-video-user.md:15,23,41,49). This is a FALSE POSITIVE - Base64 is used as a data encoding format for video URLs in API responses, not for security purposes. The documentation states 'Base64 encoded play address, needs front-end decoding.'
references/api-video-user.md:17references/api-video-user.md:28references/api-video-user.md:43references/api-video-user.md:54references/api-video-user.md:68references/api-video-user.md:79references/api-video-user.md:94references/api-video-user.md:105references/api-video-user.md:119references/api-video-user.md:131references/api-video-user.md:148references/api-video-user.md:161references/param-mappings.md:9references/param-mappings.md:13references/param-mappings.md:17references/param-mappings.md:21references/param-mappings.md:25references/param-mappings.md:30
System reconnaissance pattern (example IDs in documentation)
Static analyzer flagged example video IDs and user IDs in parameter tables as 'system reconnaissance.' These are FALSE POSITIVES - the values (e.g., item_id=7354954305222377999, user_id=52712347586) are sample/example IDs in API documentation, not actual reconnaissance attempts.
README_CN.md:1
High file entropy heuristic (Chinese UTF-8 content)
Static analyzer flagged README_CN.md for high file entropy (6.02 bits) suggesting possible binary or encrypted content. This is a FALSE POSITIVE - the file contains standard Chinese UTF-8 text which naturally has higher byte entropy than ASCII text due to multi-byte character encoding.

عوامل الخطر

🌐 الوصول إلى الشبكة (19)
_meta.json:6 _meta.json:7 README_CN.md:19 README_CN.md:32 README_CN.md:36 README.md:19 README.md:32 README.md:36 references/api-video-user.md:3 references/param-mappings.md:3 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ الأوامر الخارجية (57)
README_CN.md:13-15 README_CN.md:15-20 README_CN.md:20 README.md:13-15 README.md:15-20 README.md:20 references/api-video-user.md:3 references/api-video-user.md:4 references/api-video-user.md:9 references/api-video-user.md:21 references/api-video-user.md:35 references/api-video-user.md:47 references/api-video-user.md:60 references/api-video-user.md:72 references/api-video-user.md:86 references/api-video-user.md:98 references/api-video-user.md:111 references/api-video-user.md:124 references/api-video-user.md:140 references/api-video-user.md:154 references/api-video-user.md:169 references/api-video-user.md:185 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:13 references/param-mappings.md:13 references/param-mappings.md:17 references/param-mappings.md:17 references/param-mappings.md:21 references/param-mappings.md:21 references/param-mappings.md:25 references/param-mappings.md:25 references/param-mappings.md:26 references/param-mappings.md:30 references/param-mappings.md:30 references/param-mappings.md:31 references/param-mappings.md:32 references/param-mappings.md:36 references/param-mappings.md:36 references/param-mappings.md:37 references/param-mappings.md:38 references/param-mappings.md:39 references/param-mappings.md:40 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-154
🔑 متغيرات البيئة (15)
README_CN.md:20 README.md:20 references/api-video-user.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

الأنماط المكتشفة

curl command execution with environment variable credentials

إصدار التدقيق 1

آمن

May 9, 2026, 07:50 AM

All 72 static findings evaluated as false positives. The skill is a legitimate API integration for Xigua Video data access. Environment variables (MAXHUB_API_KEY, MAXHUB_BASE_URL) are properly documented for authentication. URL paths and API endpoints in documentation triggered backtick detection but are not actual shell commands. Network access is limited to user-configured MaxHub API endpoint. No filesystem access, no platform manipulation operations. All security controls are properly documented in metadata.

3
الملفات التي تم فحصها
303
الأسطر التي تم تحليلها
3
النتائج
claude
تم تدقيقه بواسطة
لا توجد مشكلات أمنية

عوامل الخطر

⚙️ الأوامر الخارجية
لم يتم تسجيل أي مواقع محددة
🌐 الوصول إلى الشبكة
لم يتم تسجيل أي مواقع محددة
🔑 متغيرات البيئة
لم يتم تسجيل أي مواقع محددة
← العودة إلى المهارة