📦

Audit History

maxhub-pipixia - 2 audits

Audit version 2

Latest Low Risk

May 20, 2026, 12:51 PM

This skill is an API wrapper for querying PiPiXia social media data through the MaxHub API. All 225 static analysis findings are false positives. URLs point to the legitimate MaxHub API service at aconfig.cn. Shell execution patterns are markdown code examples showing curl commands for API access. Environment variable MAXHUB_API_KEY is properly declared with sensitive flag and used only for API authentication. No obfuscation, data exfiltration, or malicious patterns were found.

Files scanned

825

Lines analyzed

findings

claude

Audited by

Low Risk Issues (6)

_meta.json:6-7 SKILL.md:18-22

Hardcoded URLs in documentation are legitimate API references

All 22 hardcoded URL findings point to https://www.aconfig.cn, which is the legitimate MaxHub API service. These URLs appear in metadata, README docs, and API reference files as documentation of the API base URL and registration website. This is expected behavior for an API wrapper skill.

SKILL.md:49-61 references/api-post-user.md:3-4

Shell command patterns are markdown code examples

All 123 shell execution findings are curl commands inside markdown code blocks. These are documentation examples showing users how to make API calls. The skill is designed to use curl for querying the MaxHub API, and these patterns are expected for this type of skill.

SKILL.md:10-20 SKILL.md:47-50

Environment variable MAXHUB_API_KEY is properly declared as sensitive

The 16 env_access findings refer to MAXHUB_API_KEY usage. The SKILL.md properly declares this variable with sensitive: true in its metadata, uses it only for API Bearer token authentication, and includes credential handling guidelines that instruct keeping API keys out of output.

references/api-post-user.md:15 references/api-search-trending.md:15

Cryptographic algorithm findings are social media terminology

All 'Weak cryptographic algorithm' findings are triggered by the term 'hashtag' in API parameter documentation (e.g., hashtag_id, hashtag_post_list). 'Hashtag' is a social media term for content categorization on PiPiXia, not a reference to cryptographic hashing.

references/api-post-user.md:17 references/param-mappings.md:9

System reconnaissance findings are example API parameters

All system reconnaissance findings reference example parameter values like user IDs and video IDs in API documentation tables. These are placeholder values used to document API parameter formats, not actual reconnaissance attempts.

SKILL.md:3-25

Dangerous combination heuristic is false positive for API wrapper skill

The static analyzer flagged the combination of external_commands + network + env_access as dangerous. However, this combination is by design for an API wrapper skill: curl is used to make HTTP requests to a single legitimate API, with a properly declared API key. No obfuscation or data exfiltration was detected.

Risk Factors

🌐 Network access (22)

⚙️ External commands (123)

🔑 Env variables (16)

README_CN.md:22 README.md:22 references/api-post-user.md:4 references/api-search-trending.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

Audit version 1

Safe

May 9, 2026, 07:23 AM

Static analyzer flagged 96 potential issues as NEEDS_AI. Manual semantic evaluation reveals all findings are FALSE POSITIVES. Backtick patterns are markdown code fences (not Ruby execution), env_access references are legitimate API key usage for MaxHub authentication, and network URLs are the documented MaxHub API endpoints. No actual malicious behavior detected. The skill is a legitimate PiPiXia data collection tool with explicit security documentation.

Files scanned

364

Lines analyzed

findings

claude

Audited by

No security issues found

← Back to Skill