🐦

監査履歴

maxhub-weibo - 2 監査

監査バージョン 2

最新低リスク

May 20, 2026, 01:16 PM

This skill is a legitimate Weibo data query assistant that calls a third-party API (aconfig.cn) using a user-provided API key. Static analysis reported 676 potential issues, but nearly all are false positives: 'weak cryptographic algorithm' findings are markdown table separators (|---|---|), 'shell backtick execution' findings are curl examples in documentation code blocks, and 'system reconnaissance' findings are API parameter documentation. The skill is transparent about its credential usage and network calls. Low risk - publish with standard warnings about third-party API usage.

スキャンされたファイル

2,645

解析された行数

検出結果

claude

監査者

中リスクの問題 (2)

SKILL.md:10-20 SKILL.md:47-50

Third-party API credential usage

The skill reads MAXHUB_API_KEY from environment variables and sends it as a Bearer token to www.aconfig.cn for API authentication. This is intentional and documented behavior for the skill's functionality.

SKILL.md:45-61 references/api-post.md:3-4 references/api-search.md:3-4

External network requests via curl

The skill executes curl commands to make HTTP requests to www.aconfig.cn. All commands use hardcoded URLs and environment variable for auth. No dynamic command injection is possible as the reference files define fixed endpoints.

低リスクの問題 (3)

references/api-post.md:15 references/api-search.md:15 references/api-user.md:21

Markdown tables flagged as weak cryptographic algorithm

Static analyzer incorrectly flagged markdown table separator rows (e.g., '|---|---|---|') as 'weak cryptographic algorithm' at 138 locations across reference files. These are standard markdown formatting, not encryption.

references/api-trending.md:17 references/api-post.md:17

API parameter documentation flagged as system reconnaissance

Static analyzer flagged example parameter values and container IDs in API documentation as 'system reconnaissance'. These are legitimate documentation values like container IDs for Weibo channel categories.

README_CN.md:1 references/api-post.md:1

High entropy detection on bilingual documentation

Static analyzer flagged high file entropy on files containing mixed Chinese and English text. This is expected for a bilingual skill documentation file, not obfuscation.

リスク要因

🌐 ネットワークアクセス (14)

_meta.json:6 _meta.json:7 README.md:23 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:45 SKILL.md:53-57 references/api-post.md:3 references/api-search.md:3 references/api-trending.md:3 references/api-user.md:3 references/api-video-feed.md:3 references/param-mappings.md:3

⚙️ 外部コマンド (2)

SKILL.md:49-61 README.md:17-19

🔑 環境変数 (7)

SKILL.md:10-13 SKILL.md:17-20 SKILL.md:47-50 README.md:24 references/api-post.md:4 references/api-search.md:4 references/api-user.md:4

監査バージョン 1

低リスク

May 9, 2026, 07:45 AM

This is a legitimate data fetching skill that provides documentation for accessing Weibo public data through the MaxHub API. Static analysis flagged 216 potential issues but evaluation confirms these are all false positives: backticks in markdown tables were misidentified as shell commands, environment variable access is intentional for API authentication, and network access is required for data retrieval. No malicious code or intent detected. The skill explicitly prohibits platform manipulation and only accesses public data.

スキャンされたファイル

499

解析された行数

検出結果

claude

監査者

高リスクの問題 (2)

SKILL.md:11-12

API Credential Access via Environment Variables

The skill requires MAXHUB_API_KEY environment variable for API authentication. This is intentional and documented in the skill metadata.

SKILL.md:26-27

External Network Access via HTTPS

The skill makes HTTPS requests to the MaxHub API endpoint to fetch Weibo public data. Network access is required and documented.

中リスクの問題 (1)

SKILL.md:42-44 SKILL.md:75-79 SKILL.md:307-311

Documentation Contains Shell Command Syntax

The skill documentation includes curl command examples with environment variable syntax (${VAR}) showing how to make API requests. These are documentation examples, not executable code.

低リスクの問題 (1)

Static Analysis Pattern False Positives

The static analyzer flagged 216 potential security issues (157 external_commands, 13 env_access, 5 network, plus blockers/obfuscation). Manual evaluation confirms all are false positives: markdown backticks misidentified as shell commands, legitimate environment access, and documentation formatting misinterpreted as code.

リスク要因

🌐 ネットワークアクセス (5)

SKILL.md:26 SKILL.md:27 SKILL.md:46 SKILL.md:67 SKILL.md:86

🔑 環境変数 (13)

SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:43 SKILL.md:69 SKILL.md:78 SKILL.md:85 SKILL.md:92 SKILL.md:309 SKILL.md:318 SKILL.md:325 SKILL.md:334 SKILL.md:341

← スキルに戻る