Fähigkeiten maxhub-lemon8 Audit-Verlauf
🍋

Audit-Verlauf

maxhub-lemon8 - 3 Audits

Audit-Version 3

Neueste Niedriges Risiko

May 20, 2026, 02:23 PM

This skill is an API documentation helper for querying Lemon8 content through the MaxHub API. All 208 static findings were evaluated: the external_commands (118) are FALSE POSITIVES caused by markdown code blocks being misidentified as shell backtick execution. The network (24) and env_access (16) findings are TRUE POSITIVES but reflect expected behavior for an API client skill that uses curl and a documented MAXHUB_API_KEY environment variable. No malicious intent, obfuscation, data exfiltration, or prompt injection was detected. The skill transparently documents its API dependencies and authentication requirements.

7
Gescannte Dateien
780
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit niedrigem Risiko (2)
SKILL.md:10-13SKILL.md:47SKILL.md:50
API key environment variable dependency
The skill requires MAXHUB_API_KEY to authenticate with the MaxHub Lemon8 API. This is a declared dependency in the SKILL.md metadata. The skill uses it as a Bearer token for API requests. This is expected behavior for an API client skill and is transparently documented.
SKILL.md:18-22SKILL.md:30-32SKILL.md:45references/api-search-discover.md:3references/api-post-user.md:3
Hardcoded API endpoint URLs
The skill contains hardcoded URLs pointing to the MaxHub API at aconfig.cn. These are legitimate API endpoints documented for the skill to use when querying Lemon8 data. No suspicious, unknown, or unexpected external destinations were detected.

Risikofaktoren

🌐 Netzwerkzugriff (24)
_meta.json:6 _meta.json:7 README_CN.md:21 README_CN.md:36 README_CN.md:40 README.md:21 README.md:36 README.md:40 references/api-post-user.md:3 references/api-post-user.md:236 references/api-post-user.md:284 references/api-search-discover.md:3 references/param-mappings.md:3 references/param-mappings.md:54 references/param-mappings.md:58 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ Externe Befehle (118)
README_CN.md:15-17 README_CN.md:17-22 README_CN.md:22 README.md:15-17 README.md:17-22 README.md:22 references/api-post-user.md:3 references/api-post-user.md:4 references/api-post-user.md:9 references/api-post-user.md:19 references/api-post-user.md:30 references/api-post-user.md:45 references/api-post-user.md:52 references/api-post-user.md:53 references/api-post-user.md:54 references/api-post-user.md:55 references/api-post-user.md:62 references/api-post-user.md:74 references/api-post-user.md:81 references/api-post-user.md:87 references/api-post-user.md:99 references/api-post-user.md:107 references/api-post-user.md:108 references/api-post-user.md:109 references/api-post-user.md:115 references/api-post-user.md:131 references/api-post-user.md:138 references/api-post-user.md:141 references/api-post-user.md:142 references/api-post-user.md:149 references/api-post-user.md:162 references/api-post-user.md:169 references/api-post-user.md:176 references/api-post-user.md:189 references/api-post-user.md:196 references/api-post-user.md:203 references/api-post-user.md:215 references/api-post-user.md:222 references/api-post-user.md:228 references/api-post-user.md:240 references/api-post-user.md:253 references/api-post-user.md:263 references/api-post-user.md:276 references/api-post-user.md:288 references/api-post-user.md:301 references/api-post-user.md:311 references/api-search-discover.md:3 references/api-search-discover.md:4 references/api-search-discover.md:9 references/api-search-discover.md:19 references/api-search-discover.md:30 references/api-search-discover.md:40 references/api-search-discover.md:51 references/api-search-discover.md:61 references/api-search-discover.md:72 references/api-search-discover.md:88 references/api-search-discover.md:97 references/api-search-discover.md:97 references/api-search-discover.md:106 references/api-search-discover.md:107 references/api-search-discover.md:108 references/api-search-discover.md:109 references/api-search-discover.md:110 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:10 references/param-mappings.md:10 references/param-mappings.md:11 references/param-mappings.md:11 references/param-mappings.md:12 references/param-mappings.md:12 references/param-mappings.md:16 references/param-mappings.md:16 references/param-mappings.md:20 references/param-mappings.md:20 references/param-mappings.md:21 references/param-mappings.md:22 references/param-mappings.md:23 references/param-mappings.md:24 references/param-mappings.md:24 references/param-mappings.md:28 references/param-mappings.md:28 references/param-mappings.md:32 references/param-mappings.md:32 references/param-mappings.md:33 references/param-mappings.md:34 references/param-mappings.md:34 references/param-mappings.md:35 references/param-mappings.md:35 references/param-mappings.md:36 references/param-mappings.md:40 references/param-mappings.md:40 references/param-mappings.md:41 references/param-mappings.md:45 references/param-mappings.md:45 references/param-mappings.md:46 references/param-mappings.md:50 references/param-mappings.md:50 references/param-mappings.md:54 references/param-mappings.md:54 references/param-mappings.md:58 references/param-mappings.md:58 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-107 SKILL.md:107-108 SKILL.md:108-160
🔑 Umgebungsvariablen (16)
README_CN.md:22 README.md:22 references/api-post-user.md:4 references/api-search-discover.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

Audit-Version 2

Niedriges Risiko

May 20, 2026, 12:47 PM

Static analysis found 208 potential issues across 7 files (780 lines). All findings are FALSE POSITIVES after AI review. The skill is a legitimate API client for Lemon8 content data via the MaxHub API at aconfig.cn. Network requests target a single documented API endpoint. Environment variable access retrieves a user-provided API key for Bearer token authentication. External command references (curl) appear in markdown code blocks as API usage documentation and instructions. No obfuscation, data exfiltration, or malicious intent detected. The heuristic critical finding for capability combination is dismissed as legitimate API client behavior. Risk level is LOW; the skill is safe to publish with standard API client warnings.

7
Gescannte Dateien
780
Analysierte Zeilen
6
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
SKILL.md:10-22
Dangerous Capability Combination (Dismissed)
The static analyzer detected a combination of network access, environment variable access, and external command usage. This finding is DISMISSED after AI review: the skill is a transparent API client that legitimately requires all three capabilities. Network access targets a single documented API endpoint (aconfig.cn). Environment access retrieves a user-provided API key for Bearer token authentication. External commands (curl) are standard HTTP client instructions. No evidence of data exfiltration or malicious intent.
Probleme mit niedrigem Risiko (2)
references/api-post-user.md:3-4references/api-search-discover.md:3-4references/param-mappings.md:3SKILL.md:49-61
External Commands in Documentation (False Positive)
118 instances of shell backtick execution were detected across reference documentation and README files. All instances are FALSE POSITIVES: they appear exclusively in markdown code blocks as curl command examples for API usage. These are documentation and usage instructions, not executable code injection. The skill instructs the AI to construct similar curl commands for legitimate API calls against the documented MaxHub API endpoints.
references/api-post-user.md:21references/api-search-discover.md:21
Weak Cryptographic Algorithm References (False Positive)
22 instances of weak cryptographic algorithm were detected in API reference files. These are FALSE POSITIVES: the flagged lines contain markdown table formatting, parameter names, and description text. No cryptographic operations, hashing, or encryption are performed by this skill. Reference documentation describes API parameters, not code logic.

Risikofaktoren

🌐 Netzwerkzugriff (24)
_meta.json:6 _meta.json:7 README_CN.md:21 README_CN.md:36 README_CN.md:40 README.md:21 README.md:36 README.md:40 references/api-post-user.md:3 references/api-post-user.md:236 references/api-post-user.md:284 references/api-search-discover.md:3 references/param-mappings.md:3 references/param-mappings.md:54 references/param-mappings.md:58 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
🔑 Umgebungsvariablen (16)
README_CN.md:22 README.md:22 references/api-post-user.md:4 references/api-search-discover.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92
⚙️ Externe Befehle (2)
SKILL.md:49-61 SKILL.md:67-69

Audit-Version 1

Niedriges Risiko

May 9, 2026, 07:18 AM

This skill is a legitimate Lemon8 social media data collection API wrapper. Static findings for external_commands and system_reconnaissance are FALSE POSITIVES - the scanner misidentified template syntax placeholders and API documentation as shell commands. Environment variable access (MAXHUB_API_KEY, MAXHUB_BASE_URL) is clearly documented and intentional for API authentication. Network access is limited to the MaxHub API service endpoints only. High entropy warnings are FALSE POSITIVES caused by Chinese text characters which naturally have higher byte entropy than ASCII text.

3
Gescannte Dateien
331
Analysierte Zeilen
6
befunde
claude
Auditiert von
Probleme mit niedrigem Risiko (3)
references/api-catalog.md:9-19references/api-catalog.md:25-27references/api-catalog.md:33-34references/chain-patterns.md:8-12SKILL.md:42-244
Static Scanner Misidentified Template Syntax
The static scanner flagged 'Ruby/shell backtick execution' patterns at lines using ${VAR} syntax. These are NOT shell commands - they are environment variable placeholders for API configuration (MAXHUB_BASE_URL, MAXHUB_API_KEY). The skill uses standard template variable substitution, not shell execution.
references/chain-patterns.md:1-42SKILL.md:1-253
Chinese Text Characters Misidentified as Encrypted Content
The static scanner flagged 'High entropy string' warnings due to Chinese characters in the skill documentation. Chinese characters have naturally higher byte entropy (3-4 bytes per character in UTF-8) than ASCII text. This is normal for multilingual content, not evidence of obfuscation.
references/api-catalog.md:9-10references/api-catalog.md:14-27
API Documentation Misidentified as System Reconnaissance
The static scanner flagged 'System reconnaissance' at API catalog lines. These are simply documentation listing the available API endpoints and their parameters - standard API documentation practice, not reconnaissance commands.

Risikofaktoren

⚙️ Externe Befehle
Keine spezifischen Standorte aufgezeichnet
🌐 Netzwerkzugriff (4)
SKILL.md:26-27 SKILL.md:46 SKILL.md:66 SKILL.md:85
🔑 Umgebungsvariablen (7)
SKILL.md:11-12 SKILL.md:17 SKILL.md:43 SKILL.md:68 SKILL.md:77 SKILL.md:84 SKILL.md:91
← Zurück zum Skill