ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-tokenplan-image-generation

v0.9.5

Generate images using MiniMax image-01 model. Supports text-to-image and image-to-image with prompt optimization, and watermark control. Preferred skill for...

0· 75·0 current·0 all-time
byk.x.@4833675
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (image generation using MiniMax image-01) match the included script and instructions. However the registry/SKILL.md requires MINIMAX_API_KEY as an environment variable while the shipped script does not read that env var (it expects you to embed the key in a top-of-file constant or pass --api-key). This mismatch between declared requirements and actual usage is surprising and unnecessary.
!
Instruction Scope
Runtime instructions ask the user to edit scripts/generate.py to insert the API key and base URL, then delete the init section. The script reads local image files (if provided) and converts them to base64 and sends them to the remote API — expected for image-to-image, but this behavior will transmit arbitrary local image contents to an external service. The SKILL.md otherwise stays within the stated purpose and does not instruct reading unrelated files or secrets, but the manual-edit flow increases the chance a user will embed a secret in source on disk.
!
Install Mechanism
Registry metadata says no install spec, but SKILL.md contains an 'install' metadata entry pointing to https://clawhub.ai/skills/minimax-tokenplan-image-generation. That URL is not a standard release host (GitHub/releases) and could be used to host arbitrary archives if followed. The package itself is instruction-only with a local Python script and requires pip installing 'requests' only. If you rely on the SKILL.md install link, treat it as an external download from a third-party domain and verify its contents before running.
!
Credentials
Only one credential is requested (MINIMAX_API_KEY), which is appropriate for this API integration. But the script does not actually read MINIMAX_API_KEY from the environment — it expects either the top-of-file API_KEY constant to be edited or --api-key on invocation. Declaring an env var requirement that is not used is an inconsistency and could mislead users. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes generated files to a shared directory (~/.openclaw/media/minimax/) by default — this is expected for output storage but may leak outputs across agents. Filesystem write and network access are required for its function; consider changing the default output directory if you want per-agent isolation.
What to consider before installing
What to consider before installing: - The script is a straightforward wrapper for a remote MiniMax image API and needs a MiniMax API key. Prefer passing the key at runtime (--api-key) or modify the script to read MINIMAX_API_KEY from the environment (os.environ) rather than embedding the key directly in the file. - Image-to-image mode will read local files and upload them (converted to base64) to the remote API — only use it with images you are comfortable sending to an external service. - The SKILL.md includes an install/download URL on clawhub.ai; the registry itself has no install spec. Do not download or run archives from that URL without inspecting them. If you need to install anything, only pip install the well-known requests package. - The script writes outputs to ~/.openclaw/media/minimax/ (shared among agents). If that is sensitive, change OUTPUT_DIR in the script before running. - The declared required env var (MINIMAX_API_KEY) is inconsistent with the shipped code — verify how your agent will supply the key (env vs file edit vs CLI). Prefer environment-based injection over editing source files. - If you want more assurance: open and review scripts/generate.py yourself (it is short and readable), verify the API base URLs and TLS, and test with a non-sensitive key or dummy image first. Given these mismatches and privacy tradeoffs (local file upload & a third-party install link mentioned), treat the skill as plausible but verify the points above before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742nt9zkb4q4259p7q8aw5eh849gvq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
OSmacOS · Linux · Windows
Binspython3
EnvMINIMAX_API_KEY

Comments