Habilidades maxhub-kuaishou Historial de auditorías
🎬

Historial de auditorías

maxhub-kuaishou - 2 auditorías

Versión de auditoría 2

Más reciente Riesgo bajo

May 20, 2026, 12:45 PM

This skill is a legitimate API wrapper for querying Kuaishou data through the MaxHub service (www.aconfig.cn). All 135 static findings have been evaluated as false positives: hardcoded URLs point to the documented API endpoint, shell commands are documentation examples for curl-based API calls, and env access is for the declared MAXHUB_API_KEY credential. The skill transparently declares its requirements and usage patterns. No malicious intent, obfuscation, or prompt injection detected.

7
Archivos escaneados
609
Líneas analizadas
6
hallazgos
claude
Auditado por
Problemas de riesgo bajo (3)
SKILL.md:10SKILL.md:13SKILL.md:17SKILL.md:50SKILL.md:68
API Credential Access in Environment Variables
The skill accesses MAXHUB_API_KEY from environment variables for API authentication. This is a legitimate and declared requirement documented in SKILL.md metadata. Users must configure their own API key obtained from aconfig.cn. The key is used only as Bearer token for authorized API calls.
SKILL.md:45-61references/api-video.md:3-4references/api-user.md:3-4
External API Network Calls via curl
The skill uses curl to make HTTP requests to the MaxHub API at www.aconfig.cn. These are documented, legitimate API calls for querying Kuaishou data. All API endpoints and parameters are defined in reference documentation files. The pattern is standard for API wrapper skills.
SKILL.md:49-61SKILL.md:67-69SKILL.md:80-81SKILL.md:91-92
Shell Command Documentation in Code Blocks
Bash code blocks in SKILL.md and README files show curl commands and environment variable checks. These are documentation examples for user reference, not active code execution. The commands execute legitimate API calls for the skill's intended purpose.

Factores de riesgo

🌐 Acceso a red (25)
_meta.json:6 _meta.json:7 README_CN.md:22 README_CN.md:38 README_CN.md:42 README.md:22 README.md:38 README.md:42 references/api-user.md:3 references/api-user.md:17 references/api-user.md:112 references/api-video.md:3 references/api-video.md:43 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:21 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ Comandos externos (15)
README_CN.md:16-18 README_CN.md:18-23 README_CN.md:23 README.md:16-18 README.md:18-23 README.md:23 references/api-user.md:3-4 references/api-user.md:9 references/api-video.md:3-4 references/api-video.md:9 SKILL.md:45-61 SKILL.md:67-69 SKILL.md:80-81 SKILL.md:91-92 SKILL.md:106-109
🔑 Variables de entorno (11)
README_CN.md:23 README.md:23 references/api-user.md:4 references/api-video.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:50 SKILL.md:68 SKILL.md:80-81 SKILL.md:91-92

Patrones detectados

Combined Network, Command Execution, and Credential Access

Versión de auditoría 1

Riesgo bajo

May 9, 2026, 07:16 AM

Security evaluation completed. Static scanner flagged 134 potential issues, but review reveals all findings are false positives. The skill uses template variables in markdown documentation (e.g. ${MAXHUB_API_KEY}) which triggered command execution alerts. Network and environment variable detections are intentional design - the skill is designed to communicate only with MaxHub API using environment-provided credentials. The skill explicitly documents its security boundaries in metadata.

3
Archivos escaneados
392
Líneas analizadas
4
hallazgos
claude
Auditado por
Problemas de riesgo bajo (2)
references/api-catalog.md:9-56references/chain-patterns.md:8-12SKILL.md:43-283
False Positive: Command Execution Detection in Documentation
Static scanner flagged 'Ruby/shell backtick execution' patterns in markdown files. These are documentation code blocks containing template variables like ${MAXHUB_API_KEY} - not actual shell commands being executed. The skill is markdown-based instruction documentation, not executable code.
SKILL.md:1references/chain-patterns.md:1
False Positive: High File Entropy Detection
Static scanner flagged high entropy strings in SKILL.md and references/chain-patterns.md. This is caused by Chinese characters encoded in UTF-8, not encrypted or obfuscated content. The skill contains bilingual (Chinese/English) documentation.

Factores de riesgo

🌐 Acceso a red (5)
SKILL.md:26 SKILL.md:27 SKILL.md:47 SKILL.md:68 SKILL.md:87
🔑 Variables de entorno (13)
SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:44 SKILL.md:70 SKILL.md:79 SKILL.md:86 SKILL.md:93 SKILL.md:248 SKILL.md:257 SKILL.md:264 SKILL.md:273 SKILL.md:280
← Volver a Skill