技能 maxhub-weibo 审计历史
🐦

审计历史

maxhub-weibo - 2 审计

审计版本 2

最新 低风险

May 20, 2026, 01:16 PM

This skill is a legitimate Weibo data query assistant that calls a third-party API (aconfig.cn) using a user-provided API key. Static analysis reported 676 potential issues, but nearly all are false positives: 'weak cryptographic algorithm' findings are markdown table separators (|---|---|), 'shell backtick execution' findings are curl examples in documentation code blocks, and 'system reconnaissance' findings are API parameter documentation. The skill is transparent about its credential usage and network calls. Low risk - publish with standard warnings about third-party API usage.

10
已扫描文件
2,645
分析行数
8
发现项
claude
审计者
中风险问题 (2)
SKILL.md:10-20SKILL.md:47-50
Third-party API credential usage
The skill reads MAXHUB_API_KEY from environment variables and sends it as a Bearer token to www.aconfig.cn for API authentication. This is intentional and documented behavior for the skill's functionality.
SKILL.md:45-61references/api-post.md:3-4references/api-search.md:3-4
External network requests via curl
The skill executes curl commands to make HTTP requests to www.aconfig.cn. All commands use hardcoded URLs and environment variable for auth. No dynamic command injection is possible as the reference files define fixed endpoints.
低风险问题 (3)
references/api-post.md:15references/api-search.md:15references/api-user.md:21
Markdown tables flagged as weak cryptographic algorithm
Static analyzer incorrectly flagged markdown table separator rows (e.g., '|---|---|---|') as 'weak cryptographic algorithm' at 138 locations across reference files. These are standard markdown formatting, not encryption.
references/api-trending.md:17references/api-post.md:17
API parameter documentation flagged as system reconnaissance
Static analyzer flagged example parameter values and container IDs in API documentation as 'system reconnaissance'. These are legitimate documentation values like container IDs for Weibo channel categories.
README_CN.md:1references/api-post.md:1
High entropy detection on bilingual documentation
Static analyzer flagged high file entropy on files containing mixed Chinese and English text. This is expected for a bilingual skill documentation file, not obfuscation.

风险因素

🌐 网络访问 (14)
_meta.json:6 _meta.json:7 README.md:23 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:45 SKILL.md:53-57 references/api-post.md:3 references/api-search.md:3 references/api-trending.md:3 references/api-user.md:3 references/api-video-feed.md:3 references/param-mappings.md:3
⚙️ 外部命令 (2)
SKILL.md:49-61 README.md:17-19
🔑 环境变量 (7)
SKILL.md:10-13 SKILL.md:17-20 SKILL.md:47-50 README.md:24 references/api-post.md:4 references/api-search.md:4 references/api-user.md:4

审计版本 1

低风险

May 9, 2026, 07:45 AM

This is a legitimate data fetching skill that provides documentation for accessing Weibo public data through the MaxHub API. Static analysis flagged 216 potential issues but evaluation confirms these are all false positives: backticks in markdown tables were misidentified as shell commands, environment variable access is intentional for API authentication, and network access is required for data retrieval. No malicious code or intent detected. The skill explicitly prohibits platform manipulation and only accesses public data.

3
已扫描文件
499
分析行数
6
发现项
claude
审计者

高风险问题 (2)

SKILL.md:11-12
API Credential Access via Environment Variables
The skill requires MAXHUB_API_KEY environment variable for API authentication. This is intentional and documented in the skill metadata.
SKILL.md:26-27
External Network Access via HTTPS
The skill makes HTTPS requests to the MaxHub API endpoint to fetch Weibo public data. Network access is required and documented.
中风险问题 (1)
SKILL.md:42-44SKILL.md:75-79SKILL.md:307-311
Documentation Contains Shell Command Syntax
The skill documentation includes curl command examples with environment variable syntax (${VAR}) showing how to make API requests. These are documentation examples, not executable code.
低风险问题 (1)
Static Analysis Pattern False Positives
The static analyzer flagged 216 potential security issues (157 external_commands, 13 env_access, 5 network, plus blockers/obfuscation). Manual evaluation confirms all are false positives: markdown backticks misidentified as shell commands, legitimate environment access, and documentation formatting misinterpreted as code.

风险因素

🌐 网络访问 (5)
SKILL.md:26 SKILL.md:27 SKILL.md:46 SKILL.md:67 SKILL.md:86
🔑 环境变量 (13)
SKILL.md:11 SKILL.md:12 SKILL.md:17 SKILL.md:43 SKILL.md:69 SKILL.md:78 SKILL.md:85 SKILL.md:92 SKILL.md:309 SKILL.md:318 SKILL.md:325 SKILL.md:334 SKILL.md:341
← 返回技能