スキル maxhub-xigua 監査履歴
📦

監査履歴

maxhub-xigua - 2 監査

監査バージョン 2

最新 中リスク

May 20, 2026, 01:20 PM

This skill is a legitimate API client for Xigua Video data via the MaxHub service. Static analysis found 133 potential issues, but the vast majority are false positives from documentation files (READMEs, reference docs) where shell commands appear in markdown code blocks and URLs point to the legitimate service endpoint at www.aconfig.cn. The genuine risk is MEDIUM: the skill instructs the AI agent to execute curl commands with an API key environment variable (MAXHUB_API_KEY). While this is normal for an API client, the combination of shell execution, network access, and credential usage creates a real attack surface if the AI is manipulated via prompt injection. No malicious intent, obfuscation, or data exfiltration patterns were found.

6
スキャンされたファイル
506
解析された行数
9
検出結果
claude
監査者
中リスクの問題 (1)
SKILL.md:45-61SKILL.md:67-69SKILL.md:80-92
Shell command execution via curl with API credentials
SKILL.md instructs the AI agent to execute curl commands using the MAXHUB_API_KEY environment variable for API authentication (SKILL.md:45-61, 67-69, 80-92). This is the intended behavior for an API client, but the combination of shell execution with credential access creates a prompt injection attack surface where a manipulated AI could be redirected to exfiltrate the API key to a different endpoint.
低リスクの問題 (5)
_meta.json:6-7README.md:19README.md:32README.md:36README_CN.md:19README_CN.md:32README_CN.md:36SKILL.md:18SKILL.md:22SKILL.md:30SKILL.md:32SKILL.md:45SKILL.md:53SKILL.md:57SKILL.md:77SKILL.md:88
Hardcoded URLs in documentation files
Multiple files contain hardcoded URLs pointing to www.aconfig.cn, the legitimate MaxHub API service. These are FALSE POSITIVES - the URLs are the intended API endpoint and documentation references, not suspicious destinations.
README_CN.md:13-15README_CN.md:20README.md:13-15README.md:20references/api-video-user.md:3-4references/param-mappings.md:3-40
Shell command patterns in documentation files
README.md, README_CN.md, and reference documentation files contain shell command patterns (backtick usage in markdown code blocks). These are FALSE POSITIVES - the commands appear in documentation code blocks for human readers, not as executable instructions for the AI agent. The backticks are markdown formatting for code examples showing install and setup steps.
references/api-video-user.md:15references/api-video-user.md:23references/api-video-user.md:41references/api-video-user.md:49references/api-video-user.md:66references/api-video-user.md:74references/api-video-user.md:92references/api-video-user.md:100references/api-video-user.md:117references/api-video-user.md:126references/api-video-user.md:146references/api-video-user.md:156references/api-video-user.md:175references/api-video-user.md:187
Weak cryptographic algorithm reference (Base64)
Static analyzer flagged 'Base64 encoding' in API documentation as a weak cryptographic algorithm (references/api-video-user.md:15,23,41,49). This is a FALSE POSITIVE - Base64 is used as a data encoding format for video URLs in API responses, not for security purposes. The documentation states 'Base64 encoded play address, needs front-end decoding.'
references/api-video-user.md:17references/api-video-user.md:28references/api-video-user.md:43references/api-video-user.md:54references/api-video-user.md:68references/api-video-user.md:79references/api-video-user.md:94references/api-video-user.md:105references/api-video-user.md:119references/api-video-user.md:131references/api-video-user.md:148references/api-video-user.md:161references/param-mappings.md:9references/param-mappings.md:13references/param-mappings.md:17references/param-mappings.md:21references/param-mappings.md:25references/param-mappings.md:30
System reconnaissance pattern (example IDs in documentation)
Static analyzer flagged example video IDs and user IDs in parameter tables as 'system reconnaissance.' These are FALSE POSITIVES - the values (e.g., item_id=7354954305222377999, user_id=52712347586) are sample/example IDs in API documentation, not actual reconnaissance attempts.
README_CN.md:1
High file entropy heuristic (Chinese UTF-8 content)
Static analyzer flagged README_CN.md for high file entropy (6.02 bits) suggesting possible binary or encrypted content. This is a FALSE POSITIVE - the file contains standard Chinese UTF-8 text which naturally has higher byte entropy than ASCII text due to multi-byte character encoding.

リスク要因

🌐 ネットワークアクセス (19)
_meta.json:6 _meta.json:7 README_CN.md:19 README_CN.md:32 README_CN.md:36 README.md:19 README.md:32 README.md:36 references/api-video-user.md:3 references/param-mappings.md:3 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ 外部コマンド (57)
README_CN.md:13-15 README_CN.md:15-20 README_CN.md:20 README.md:13-15 README.md:15-20 README.md:20 references/api-video-user.md:3 references/api-video-user.md:4 references/api-video-user.md:9 references/api-video-user.md:21 references/api-video-user.md:35 references/api-video-user.md:47 references/api-video-user.md:60 references/api-video-user.md:72 references/api-video-user.md:86 references/api-video-user.md:98 references/api-video-user.md:111 references/api-video-user.md:124 references/api-video-user.md:140 references/api-video-user.md:154 references/api-video-user.md:169 references/api-video-user.md:185 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:13 references/param-mappings.md:13 references/param-mappings.md:17 references/param-mappings.md:17 references/param-mappings.md:21 references/param-mappings.md:21 references/param-mappings.md:25 references/param-mappings.md:25 references/param-mappings.md:26 references/param-mappings.md:30 references/param-mappings.md:30 references/param-mappings.md:31 references/param-mappings.md:32 references/param-mappings.md:36 references/param-mappings.md:36 references/param-mappings.md:37 references/param-mappings.md:38 references/param-mappings.md:39 references/param-mappings.md:40 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-154
🔑 環境変数 (15)
README_CN.md:20 README.md:20 references/api-video-user.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

検出されたパターン

curl command execution with environment variable credentials

監査バージョン 1

安全

May 9, 2026, 07:50 AM

All 72 static findings evaluated as false positives. The skill is a legitimate API integration for Xigua Video data access. Environment variables (MAXHUB_API_KEY, MAXHUB_BASE_URL) are properly documented for authentication. URL paths and API endpoints in documentation triggered backtick detection but are not actual shell commands. Network access is limited to user-configured MaxHub API endpoint. No filesystem access, no platform manipulation operations. All security controls are properly documented in metadata.

3
スキャンされたファイル
303
解析された行数
3
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド
特定の場所は記録されていません
🌐 ネットワークアクセス
特定の場所は記録されていません
🔑 環境変数
特定の場所は記録されていません
← スキルに戻る