技能 maxhub-pipixia 审计历史
📦

审计历史

maxhub-pipixia - 2 审计

审计版本 2

最新 低风险

May 20, 2026, 12:51 PM

This skill is an API wrapper for querying PiPiXia social media data through the MaxHub API. All 225 static analysis findings are false positives. URLs point to the legitimate MaxHub API service at aconfig.cn. Shell execution patterns are markdown code examples showing curl commands for API access. Environment variable MAXHUB_API_KEY is properly declared with sensitive flag and used only for API authentication. No obfuscation, data exfiltration, or malicious patterns were found.

7
已扫描文件
825
分析行数
9
发现项
claude
审计者
低风险问题 (6)
_meta.json:6-7SKILL.md:18-22
Hardcoded URLs in documentation are legitimate API references
All 22 hardcoded URL findings point to https://www.aconfig.cn, which is the legitimate MaxHub API service. These URLs appear in metadata, README docs, and API reference files as documentation of the API base URL and registration website. This is expected behavior for an API wrapper skill.
SKILL.md:49-61references/api-post-user.md:3-4
Shell command patterns are markdown code examples
All 123 shell execution findings are curl commands inside markdown code blocks. These are documentation examples showing users how to make API calls. The skill is designed to use curl for querying the MaxHub API, and these patterns are expected for this type of skill.
SKILL.md:10-20SKILL.md:47-50
Environment variable MAXHUB_API_KEY is properly declared as sensitive
The 16 env_access findings refer to MAXHUB_API_KEY usage. The SKILL.md properly declares this variable with sensitive: true in its metadata, uses it only for API Bearer token authentication, and includes credential handling guidelines that instruct keeping API keys out of output.
references/api-post-user.md:15references/api-search-trending.md:15
Cryptographic algorithm findings are social media terminology
All 'Weak cryptographic algorithm' findings are triggered by the term 'hashtag' in API parameter documentation (e.g., hashtag_id, hashtag_post_list). 'Hashtag' is a social media term for content categorization on PiPiXia, not a reference to cryptographic hashing.
references/api-post-user.md:17references/param-mappings.md:9
System reconnaissance findings are example API parameters
All system reconnaissance findings reference example parameter values like user IDs and video IDs in API documentation tables. These are placeholder values used to document API parameter formats, not actual reconnaissance attempts.
SKILL.md:3-25
Dangerous combination heuristic is false positive for API wrapper skill
The static analyzer flagged the combination of external_commands + network + env_access as dangerous. However, this combination is by design for an API wrapper skill: curl is used to make HTTP requests to a single legitimate API, with a properly declared API key. No obfuscation or data exfiltration was detected.

风险因素

🌐 网络访问 (22)
_meta.json:6 _meta.json:7 README_CN.md:21 README_CN.md:36 README_CN.md:40 README.md:21 README.md:36 README.md:40 references/api-post-user.md:3 references/api-search-trending.md:3 references/api-search-trending.md:124 references/param-mappings.md:3 references/param-mappings.md:56 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ 外部命令 (123)
README_CN.md:15-17 README_CN.md:17-22 README_CN.md:22 README.md:15-17 README.md:17-22 README.md:22 references/api-post-user.md:3 references/api-post-user.md:4 references/api-post-user.md:9 references/api-post-user.md:21 references/api-post-user.md:34 references/api-post-user.md:50 references/api-post-user.md:58 references/api-post-user.md:73 references/api-post-user.md:85 references/api-post-user.md:92 references/api-post-user.md:98 references/api-post-user.md:108 references/api-post-user.md:127 references/api-post-user.md:141 references/api-post-user.md:155 references/api-post-user.md:164 references/api-post-user.md:170 references/api-post-user.md:183 references/api-post-user.md:197 references/api-post-user.md:209 references/api-post-user.md:222 references/api-post-user.md:235 references/api-post-user.md:243 references/api-post-user.md:249 references/api-post-user.md:262 references/api-post-user.md:270 references/api-post-user.md:276 references/api-post-user.md:288 references/api-post-user.md:301 references/api-post-user.md:315 references/api-post-user.md:323 references/api-search-trending.md:3 references/api-search-trending.md:4 references/api-search-trending.md:9 references/api-search-trending.md:21 references/api-search-trending.md:28 references/api-search-trending.md:34 references/api-search-trending.md:46 references/api-search-trending.md:59 references/api-search-trending.md:69 references/api-search-trending.md:80 references/api-search-trending.md:94 references/api-search-trending.md:102 references/api-search-trending.md:116 references/api-search-trending.md:128 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:13 references/param-mappings.md:13 references/param-mappings.md:14 references/param-mappings.md:14 references/param-mappings.md:15 references/param-mappings.md:15 references/param-mappings.md:16 references/param-mappings.md:16 references/param-mappings.md:17 references/param-mappings.md:17 references/param-mappings.md:21 references/param-mappings.md:21 references/param-mappings.md:25 references/param-mappings.md:25 references/param-mappings.md:29 references/param-mappings.md:29 references/param-mappings.md:31 references/param-mappings.md:31 references/param-mappings.md:35 references/param-mappings.md:35 references/param-mappings.md:36 references/param-mappings.md:36 references/param-mappings.md:37 references/param-mappings.md:37 references/param-mappings.md:41 references/param-mappings.md:41 references/param-mappings.md:42 references/param-mappings.md:42 references/param-mappings.md:46 references/param-mappings.md:46 references/param-mappings.md:50 references/param-mappings.md:50 references/param-mappings.md:51 references/param-mappings.md:51 references/param-mappings.md:52 references/param-mappings.md:52 references/param-mappings.md:56 references/param-mappings.md:56 references/param-mappings.md:60 references/param-mappings.md:60 references/param-mappings.md:61 references/param-mappings.md:61 references/param-mappings.md:65 references/param-mappings.md:65 references/param-mappings.md:66 references/param-mappings.md:66 references/param-mappings.md:70 references/param-mappings.md:70 references/param-mappings.md:74 references/param-mappings.md:74 references/param-mappings.md:75 references/param-mappings.md:75 references/param-mappings.md:76 references/param-mappings.md:76 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-107 SKILL.md:107-108 SKILL.md:108-156
🔑 环境变量 (16)
README_CN.md:22 README.md:22 references/api-post-user.md:4 references/api-search-trending.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

审计版本 1

安全

May 9, 2026, 07:23 AM

Static analyzer flagged 96 potential issues as NEEDS_AI. Manual semantic evaluation reveals all findings are FALSE POSITIVES. Backtick patterns are markdown code fences (not Ruby execution), env_access references are legitimate API key usage for MaxHub authentication, and network URLs are the documented MaxHub API endpoints. No actual malicious behavior detected. The skill is a legitimate PiPiXia data collection tool with explicit security documentation.

3
已扫描文件
364
分析行数
0
发现项
claude
审计者
未发现安全问题
← 返回技能