Навыки maxhub-kuaishou История аудитов
🎬

История аудитов

maxhub-kuaishou - 2 аудиты

Версия аудита 2

Последняя Низкий риск

May 20, 2026, 12:45 PM

This skill is a legitimate API wrapper for querying Kuaishou data through the MaxHub service (www.aconfig.cn). All 135 static findings have been evaluated as false positives: hardcoded URLs point to the documented API endpoint, shell commands are documentation examples for curl-based API calls, and env access is for the declared MAXHUB_API_KEY credential. The skill transparently declares its requirements and usage patterns. No malicious intent, obfuscation, or prompt injection detected.

7
Просканировано файлов
609
Проанализировано строк
6
находки
claude
Проверено
Проблемы низкого риска (3)
SKILL.md:10SKILL.md:13SKILL.md:17SKILL.md:50SKILL.md:68
API Credential Access in Environment Variables
The skill accesses MAXHUB_API_KEY from environment variables for API authentication. This is a legitimate and declared requirement documented in SKILL.md metadata. Users must configure their own API key obtained from aconfig.cn. The key is used only as Bearer token for authorized API calls.
SKILL.md:45-61references/api-video.md:3-4references/api-user.md:3-4
External API Network Calls via curl
The skill uses curl to make HTTP requests to the MaxHub API at www.aconfig.cn. These are documented, legitimate API calls for querying Kuaishou data. All API endpoints and parameters are defined in reference documentation files. The pattern is standard for API wrapper skills.
SKILL.md:49-61SKILL.md:67-69SKILL.md:80-81SKILL.md:91-92
Shell Command Documentation in Code Blocks
Bash code blocks in SKILL.md and README files show curl commands and environment variable checks. These are documentation examples for user reference, not active code execution. The commands execute legitimate API calls for the skill's intended purpose.

Факторы риска

🌐 Доступ к сети (25)
_meta.json:6 _meta.json:7 README_CN.md:22 README_CN.md:38 README_CN.md:42 README.md:22 README.md:38 README.md:42 references/api-user.md:3 references/api-user.md:17 references/api-user.md:112 references/api-video.md:3 references/api-video.md:43 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:21 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ Внешние команды (15)
README_CN.md:16-18 README_CN.md:18-23 README_CN.md:23 README.md:16-18 README.md:18-23 README.md:23 references/api-user.md:3-4 references/api-user.md:9 references/api-video.md:3-4 references/api-video.md:9 SKILL.md:45-61 SKILL.md:67-69 SKILL.md:80-81 SKILL.md:91-92 SKILL.md:106-109
🔑 Переменные окружения (11)
README_CN.md:23 README.md:23 references/api-user.md:4 references/api-video.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:50 SKILL.md:68 SKILL.md:80-81 SKILL.md:91-92

Обнаруженные паттерны

Combined Network, Command Execution, and Credential Access

Версия аудита 1

Низкий риск

May 9, 2026, 07:16 AM

Security evaluation completed. Static scanner flagged 134 potential issues, but review reveals all findings are false positives. The skill uses template variables in markdown documentation (e.g. ${MAXHUB_API_KEY}) which triggered command execution alerts. Network and environment variable detections are intentional design - the skill is designed to communicate only with MaxHub API using environment-provided credentials. The skill explicitly documents its security boundaries in metadata.

3
Просканировано файлов
392
Проанализировано строк
4
находки
claude
Проверено
Проблемы низкого риска (2)
references/api-catalog.md:9-56references/chain-patterns.md:8-12SKILL.md:43-283
False Positive: Command Execution Detection in Documentation
Static scanner flagged 'Ruby/shell backtick execution' patterns in markdown files. These are documentation code blocks containing template variables like ${MAXHUB_API_KEY} - not actual shell commands being executed. The skill is markdown-based instruction documentation, not executable code.
SKILL.md:1references/chain-patterns.md:1
False Positive: High File Entropy Detection
Static scanner flagged high entropy strings in SKILL.md and references/chain-patterns.md. This is caused by Chinese characters encoded in UTF-8, not encrypted or obfuscated content. The skill contains bilingual (Chinese/English) documentation.

Факторы риска

🌐 Доступ к сети (5)
SKILL.md:26 SKILL.md:27 SKILL.md:47 SKILL.md:68 SKILL.md:87
🔑 Переменные окружения (13)
SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:44 SKILL.md:70 SKILL.md:79 SKILL.md:86 SKILL.md:93 SKILL.md:248 SKILL.md:257 SKILL.md:264 SKILL.md:273 SKILL.md:280
← Назад к навыку