Skills maxhub-kuaishou Audit History
🎬

Audit History

maxhub-kuaishou - 2 audits

Audit version 2

Latest Low Risk

May 20, 2026, 12:45 PM

This skill is a legitimate API wrapper for querying Kuaishou data through the MaxHub service (www.aconfig.cn). All 135 static findings have been evaluated as false positives: hardcoded URLs point to the documented API endpoint, shell commands are documentation examples for curl-based API calls, and env access is for the declared MAXHUB_API_KEY credential. The skill transparently declares its requirements and usage patterns. No malicious intent, obfuscation, or prompt injection detected.

7
Files scanned
609
Lines analyzed
6
findings
claude
Audited by
Low Risk Issues (3)
SKILL.md:10SKILL.md:13SKILL.md:17SKILL.md:50SKILL.md:68
API Credential Access in Environment Variables
The skill accesses MAXHUB_API_KEY from environment variables for API authentication. This is a legitimate and declared requirement documented in SKILL.md metadata. Users must configure their own API key obtained from aconfig.cn. The key is used only as Bearer token for authorized API calls.
SKILL.md:45-61references/api-video.md:3-4references/api-user.md:3-4
External API Network Calls via curl
The skill uses curl to make HTTP requests to the MaxHub API at www.aconfig.cn. These are documented, legitimate API calls for querying Kuaishou data. All API endpoints and parameters are defined in reference documentation files. The pattern is standard for API wrapper skills.
SKILL.md:49-61SKILL.md:67-69SKILL.md:80-81SKILL.md:91-92
Shell Command Documentation in Code Blocks
Bash code blocks in SKILL.md and README files show curl commands and environment variable checks. These are documentation examples for user reference, not active code execution. The commands execute legitimate API calls for the skill's intended purpose.

Risk Factors

🌐 Network access (25)
_meta.json:6 _meta.json:7 README_CN.md:22 README_CN.md:38 README_CN.md:42 README.md:22 README.md:38 README.md:42 references/api-user.md:3 references/api-user.md:17 references/api-user.md:112 references/api-video.md:3 references/api-video.md:43 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:21 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ External commands (15)
README_CN.md:16-18 README_CN.md:18-23 README_CN.md:23 README.md:16-18 README.md:18-23 README.md:23 references/api-user.md:3-4 references/api-user.md:9 references/api-video.md:3-4 references/api-video.md:9 SKILL.md:45-61 SKILL.md:67-69 SKILL.md:80-81 SKILL.md:91-92 SKILL.md:106-109
🔑 Env variables (11)
README_CN.md:23 README.md:23 references/api-user.md:4 references/api-video.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:50 SKILL.md:68 SKILL.md:80-81 SKILL.md:91-92

Detected Patterns

Combined Network, Command Execution, and Credential Access

Audit version 1

Low Risk

May 9, 2026, 07:16 AM

Security evaluation completed. Static scanner flagged 134 potential issues, but review reveals all findings are false positives. The skill uses template variables in markdown documentation (e.g. ${MAXHUB_API_KEY}) which triggered command execution alerts. Network and environment variable detections are intentional design - the skill is designed to communicate only with MaxHub API using environment-provided credentials. The skill explicitly documents its security boundaries in metadata.

3
Files scanned
392
Lines analyzed
4
findings
claude
Audited by
Low Risk Issues (2)
references/api-catalog.md:9-56references/chain-patterns.md:8-12SKILL.md:43-283
False Positive: Command Execution Detection in Documentation
Static scanner flagged 'Ruby/shell backtick execution' patterns in markdown files. These are documentation code blocks containing template variables like ${MAXHUB_API_KEY} - not actual shell commands being executed. The skill is markdown-based instruction documentation, not executable code.
SKILL.md:1references/chain-patterns.md:1
False Positive: High File Entropy Detection
Static scanner flagged high entropy strings in SKILL.md and references/chain-patterns.md. This is caused by Chinese characters encoded in UTF-8, not encrypted or obfuscated content. The skill contains bilingual (Chinese/English) documentation.

Risk Factors

🌐 Network access (5)
SKILL.md:26 SKILL.md:27 SKILL.md:47 SKILL.md:68 SKILL.md:87
🔑 Env variables (13)
SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:44 SKILL.md:70 SKILL.md:79 SKILL.md:86 SKILL.md:93 SKILL.md:248 SKILL.md:257 SKILL.md:264 SKILL.md:273 SKILL.md:280
← Back to Skill