Habilidades maxhub-xigua Historial de auditorías
📦

Historial de auditorías

maxhub-xigua - 2 auditorías

Versión de auditoría 2

Más reciente Riesgo medio

May 20, 2026, 01:20 PM

This skill is a legitimate API client for Xigua Video data via the MaxHub service. Static analysis found 133 potential issues, but the vast majority are false positives from documentation files (READMEs, reference docs) where shell commands appear in markdown code blocks and URLs point to the legitimate service endpoint at www.aconfig.cn. The genuine risk is MEDIUM: the skill instructs the AI agent to execute curl commands with an API key environment variable (MAXHUB_API_KEY). While this is normal for an API client, the combination of shell execution, network access, and credential usage creates a real attack surface if the AI is manipulated via prompt injection. No malicious intent, obfuscation, or data exfiltration patterns were found.

6
Archivos escaneados
506
Líneas analizadas
9
hallazgos
claude
Auditado por
Problemas de riesgo medio (1)
SKILL.md:45-61SKILL.md:67-69SKILL.md:80-92
Shell command execution via curl with API credentials
SKILL.md instructs the AI agent to execute curl commands using the MAXHUB_API_KEY environment variable for API authentication (SKILL.md:45-61, 67-69, 80-92). This is the intended behavior for an API client, but the combination of shell execution with credential access creates a prompt injection attack surface where a manipulated AI could be redirected to exfiltrate the API key to a different endpoint.
Problemas de riesgo bajo (5)
_meta.json:6-7README.md:19README.md:32README.md:36README_CN.md:19README_CN.md:32README_CN.md:36SKILL.md:18SKILL.md:22SKILL.md:30SKILL.md:32SKILL.md:45SKILL.md:53SKILL.md:57SKILL.md:77SKILL.md:88
Hardcoded URLs in documentation files
Multiple files contain hardcoded URLs pointing to www.aconfig.cn, the legitimate MaxHub API service. These are FALSE POSITIVES - the URLs are the intended API endpoint and documentation references, not suspicious destinations.
README_CN.md:13-15README_CN.md:20README.md:13-15README.md:20references/api-video-user.md:3-4references/param-mappings.md:3-40
Shell command patterns in documentation files
README.md, README_CN.md, and reference documentation files contain shell command patterns (backtick usage in markdown code blocks). These are FALSE POSITIVES - the commands appear in documentation code blocks for human readers, not as executable instructions for the AI agent. The backticks are markdown formatting for code examples showing install and setup steps.
references/api-video-user.md:15references/api-video-user.md:23references/api-video-user.md:41references/api-video-user.md:49references/api-video-user.md:66references/api-video-user.md:74references/api-video-user.md:92references/api-video-user.md:100references/api-video-user.md:117references/api-video-user.md:126references/api-video-user.md:146references/api-video-user.md:156references/api-video-user.md:175references/api-video-user.md:187
Weak cryptographic algorithm reference (Base64)
Static analyzer flagged 'Base64 encoding' in API documentation as a weak cryptographic algorithm (references/api-video-user.md:15,23,41,49). This is a FALSE POSITIVE - Base64 is used as a data encoding format for video URLs in API responses, not for security purposes. The documentation states 'Base64 encoded play address, needs front-end decoding.'
references/api-video-user.md:17references/api-video-user.md:28references/api-video-user.md:43references/api-video-user.md:54references/api-video-user.md:68references/api-video-user.md:79references/api-video-user.md:94references/api-video-user.md:105references/api-video-user.md:119references/api-video-user.md:131references/api-video-user.md:148references/api-video-user.md:161references/param-mappings.md:9references/param-mappings.md:13references/param-mappings.md:17references/param-mappings.md:21references/param-mappings.md:25references/param-mappings.md:30
System reconnaissance pattern (example IDs in documentation)
Static analyzer flagged example video IDs and user IDs in parameter tables as 'system reconnaissance.' These are FALSE POSITIVES - the values (e.g., item_id=7354954305222377999, user_id=52712347586) are sample/example IDs in API documentation, not actual reconnaissance attempts.
README_CN.md:1
High file entropy heuristic (Chinese UTF-8 content)
Static analyzer flagged README_CN.md for high file entropy (6.02 bits) suggesting possible binary or encrypted content. This is a FALSE POSITIVE - the file contains standard Chinese UTF-8 text which naturally has higher byte entropy than ASCII text due to multi-byte character encoding.

Factores de riesgo

🌐 Acceso a red (19)
_meta.json:6 _meta.json:7 README_CN.md:19 README_CN.md:32 README_CN.md:36 README.md:19 README.md:32 README.md:36 references/api-video-user.md:3 references/param-mappings.md:3 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ Comandos externos (57)
README_CN.md:13-15 README_CN.md:15-20 README_CN.md:20 README.md:13-15 README.md:15-20 README.md:20 references/api-video-user.md:3 references/api-video-user.md:4 references/api-video-user.md:9 references/api-video-user.md:21 references/api-video-user.md:35 references/api-video-user.md:47 references/api-video-user.md:60 references/api-video-user.md:72 references/api-video-user.md:86 references/api-video-user.md:98 references/api-video-user.md:111 references/api-video-user.md:124 references/api-video-user.md:140 references/api-video-user.md:154 references/api-video-user.md:169 references/api-video-user.md:185 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:13 references/param-mappings.md:13 references/param-mappings.md:17 references/param-mappings.md:17 references/param-mappings.md:21 references/param-mappings.md:21 references/param-mappings.md:25 references/param-mappings.md:25 references/param-mappings.md:26 references/param-mappings.md:30 references/param-mappings.md:30 references/param-mappings.md:31 references/param-mappings.md:32 references/param-mappings.md:36 references/param-mappings.md:36 references/param-mappings.md:37 references/param-mappings.md:38 references/param-mappings.md:39 references/param-mappings.md:40 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-154
🔑 Variables de entorno (15)
README_CN.md:20 README.md:20 references/api-video-user.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

Patrones detectados

curl command execution with environment variable credentials

Versión de auditoría 1

Seguro

May 9, 2026, 07:50 AM

All 72 static findings evaluated as false positives. The skill is a legitimate API integration for Xigua Video data access. Environment variables (MAXHUB_API_KEY, MAXHUB_BASE_URL) are properly documented for authentication. URL paths and API endpoints in documentation triggered backtick detection but are not actual shell commands. Network access is limited to user-configured MaxHub API endpoint. No filesystem access, no platform manipulation operations. All security controls are properly documented in metadata.

3
Archivos escaneados
303
Líneas analizadas
3
hallazgos
claude
Auditado por
No se encontraron problemas de seguridad

Factores de riesgo

⚙️ Comandos externos
No se registraron ubicaciones específicas
🌐 Acceso a red
No se registraron ubicaciones específicas
🔑 Variables de entorno
No se registraron ubicaciones específicas
← Volver a Skill