技能 maxhub-xigua 审计历史
📦

审计历史

maxhub-xigua - 2 审计

审计版本 2

最新 中风险

May 20, 2026, 01:20 PM

This skill is a legitimate API client for Xigua Video data via the MaxHub service. Static analysis found 133 potential issues, but the vast majority are false positives from documentation files (READMEs, reference docs) where shell commands appear in markdown code blocks and URLs point to the legitimate service endpoint at www.aconfig.cn. The genuine risk is MEDIUM: the skill instructs the AI agent to execute curl commands with an API key environment variable (MAXHUB_API_KEY). While this is normal for an API client, the combination of shell execution, network access, and credential usage creates a real attack surface if the AI is manipulated via prompt injection. No malicious intent, obfuscation, or data exfiltration patterns were found.

6
已扫描文件
506
分析行数
9
发现项
claude
审计者
中风险问题 (1)
SKILL.md:45-61SKILL.md:67-69SKILL.md:80-92
Shell command execution via curl with API credentials
SKILL.md instructs the AI agent to execute curl commands using the MAXHUB_API_KEY environment variable for API authentication (SKILL.md:45-61, 67-69, 80-92). This is the intended behavior for an API client, but the combination of shell execution with credential access creates a prompt injection attack surface where a manipulated AI could be redirected to exfiltrate the API key to a different endpoint.
低风险问题 (5)
_meta.json:6-7README.md:19README.md:32README.md:36README_CN.md:19README_CN.md:32README_CN.md:36SKILL.md:18SKILL.md:22SKILL.md:30SKILL.md:32SKILL.md:45SKILL.md:53SKILL.md:57SKILL.md:77SKILL.md:88
Hardcoded URLs in documentation files
Multiple files contain hardcoded URLs pointing to www.aconfig.cn, the legitimate MaxHub API service. These are FALSE POSITIVES - the URLs are the intended API endpoint and documentation references, not suspicious destinations.
README_CN.md:13-15README_CN.md:20README.md:13-15README.md:20references/api-video-user.md:3-4references/param-mappings.md:3-40
Shell command patterns in documentation files
README.md, README_CN.md, and reference documentation files contain shell command patterns (backtick usage in markdown code blocks). These are FALSE POSITIVES - the commands appear in documentation code blocks for human readers, not as executable instructions for the AI agent. The backticks are markdown formatting for code examples showing install and setup steps.
references/api-video-user.md:15references/api-video-user.md:23references/api-video-user.md:41references/api-video-user.md:49references/api-video-user.md:66references/api-video-user.md:74references/api-video-user.md:92references/api-video-user.md:100references/api-video-user.md:117references/api-video-user.md:126references/api-video-user.md:146references/api-video-user.md:156references/api-video-user.md:175references/api-video-user.md:187
Weak cryptographic algorithm reference (Base64)
Static analyzer flagged 'Base64 encoding' in API documentation as a weak cryptographic algorithm (references/api-video-user.md:15,23,41,49). This is a FALSE POSITIVE - Base64 is used as a data encoding format for video URLs in API responses, not for security purposes. The documentation states 'Base64 encoded play address, needs front-end decoding.'
references/api-video-user.md:17references/api-video-user.md:28references/api-video-user.md:43references/api-video-user.md:54references/api-video-user.md:68references/api-video-user.md:79references/api-video-user.md:94references/api-video-user.md:105references/api-video-user.md:119references/api-video-user.md:131references/api-video-user.md:148references/api-video-user.md:161references/param-mappings.md:9references/param-mappings.md:13references/param-mappings.md:17references/param-mappings.md:21references/param-mappings.md:25references/param-mappings.md:30
System reconnaissance pattern (example IDs in documentation)
Static analyzer flagged example video IDs and user IDs in parameter tables as 'system reconnaissance.' These are FALSE POSITIVES - the values (e.g., item_id=7354954305222377999, user_id=52712347586) are sample/example IDs in API documentation, not actual reconnaissance attempts.
README_CN.md:1
High file entropy heuristic (Chinese UTF-8 content)
Static analyzer flagged README_CN.md for high file entropy (6.02 bits) suggesting possible binary or encrypted content. This is a FALSE POSITIVE - the file contains standard Chinese UTF-8 text which naturally has higher byte entropy than ASCII text due to multi-byte character encoding.

风险因素

🌐 网络访问 (19)
_meta.json:6 _meta.json:7 README_CN.md:19 README_CN.md:32 README_CN.md:36 README.md:19 README.md:32 README.md:36 references/api-video-user.md:3 references/param-mappings.md:3 SKILL.md:18 SKILL.md:22 SKILL.md:30 SKILL.md:32 SKILL.md:45 SKILL.md:53 SKILL.md:57 SKILL.md:77 SKILL.md:88
⚙️ 外部命令 (57)
README_CN.md:13-15 README_CN.md:15-20 README_CN.md:20 README.md:13-15 README.md:15-20 README.md:20 references/api-video-user.md:3 references/api-video-user.md:4 references/api-video-user.md:9 references/api-video-user.md:21 references/api-video-user.md:35 references/api-video-user.md:47 references/api-video-user.md:60 references/api-video-user.md:72 references/api-video-user.md:86 references/api-video-user.md:98 references/api-video-user.md:111 references/api-video-user.md:124 references/api-video-user.md:140 references/api-video-user.md:154 references/api-video-user.md:169 references/api-video-user.md:185 references/param-mappings.md:3 references/param-mappings.md:3 references/param-mappings.md:9 references/param-mappings.md:9 references/param-mappings.md:13 references/param-mappings.md:13 references/param-mappings.md:17 references/param-mappings.md:17 references/param-mappings.md:21 references/param-mappings.md:21 references/param-mappings.md:25 references/param-mappings.md:25 references/param-mappings.md:26 references/param-mappings.md:30 references/param-mappings.md:30 references/param-mappings.md:31 references/param-mappings.md:32 references/param-mappings.md:36 references/param-mappings.md:36 references/param-mappings.md:37 references/param-mappings.md:38 references/param-mappings.md:39 references/param-mappings.md:40 SKILL.md:45 SKILL.md:47 SKILL.md:47 SKILL.md:49-61 SKILL.md:61-67 SKILL.md:67-69 SKILL.md:69-80 SKILL.md:80-81 SKILL.md:81-91 SKILL.md:91-92 SKILL.md:92-106 SKILL.md:106-154
🔑 环境变量 (15)
README_CN.md:20 README.md:20 references/api-video-user.md:4 SKILL.md:10 SKILL.md:13 SKILL.md:17 SKILL.md:47 SKILL.md:50 SKILL.md:68 SKILL.md:80 SKILL.md:81 SKILL.md:81 SKILL.md:91 SKILL.md:92 SKILL.md:92

检测到的模式

curl command execution with environment variable credentials

审计版本 1

安全

May 9, 2026, 07:50 AM

All 72 static findings evaluated as false positives. The skill is a legitimate API integration for Xigua Video data access. Environment variables (MAXHUB_API_KEY, MAXHUB_BASE_URL) are properly documented for authentication. URL paths and API endpoints in documentation triggered backtick detection but are not actual shell commands. Network access is limited to user-configured MaxHub API endpoint. No filesystem access, no platform manipulation operations. All security controls are properly documented in metadata.

3
已扫描文件
303
分析行数
3
发现项
claude
审计者
未发现安全问题

风险因素

⚙️ 外部命令
未记录任何特定位置
🌐 网络访问
未记录任何特定位置
🔑 环境变量
未记录任何特定位置
← 返回技能