審計歷史

This skill is an API documentation helper for querying Lemon8 content through the MaxHub API. All 208 static findings were evaluated: the external_commands (118) are FALSE POSITIVES caused by markdown code blocks being misidentified as shell backtick execution. The network (24) and env_access (16) findings are TRUE POSITIVES but reflect expected behavior for an API client skill that uses curl and a documented MAXHUB_API_KEY environment variable. No malicious intent, obfuscation, data exfiltration, or prompt injection was detected. The skill transparently documents its API dependencies and authentication requirements.

Static analysis found 208 potential issues across 7 files (780 lines). All findings are FALSE POSITIVES after AI review. The skill is a legitimate API client for Lemon8 content data via the MaxHub API at aconfig.cn. Network requests target a single documented API endpoint. Environment variable access retrieves a user-provided API key for Bearer token authentication. External command references (curl) appear in markdown code blocks as API usage documentation and instructions. No obfuscation, data exfiltration, or malicious intent detected. The heuristic critical finding for capability combination is dismissed as legitimate API client behavior. Risk level is LOW; the skill is safe to publish with standard API client warnings.

This skill is a legitimate Lemon8 social media data collection API wrapper. Static findings for external_commands and system_reconnaissance are FALSE POSITIVES - the scanner misidentified template syntax placeholders and API documentation as shell commands. Environment variable access (MAXHUB_API_KEY, MAXHUB_BASE_URL) is clearly documented and intentional for API authentication. Network access is limited to the MaxHub API service endpoints only. High entropy warnings are FALSE POSITIVES caused by Chinese text characters which naturally have higher byte entropy than ASCII text.