minimax-tokenplan-music

This skill appears to do what it claims (wrap MiniMax music generation), but there are some red flags you should consider before installing: - API key handling: The registry/metadata lists MINIMAX_API_KEY as required, but the shipped script defaults to a hard-coded API_KEY and the SKILL.md tells you to paste your key into the script. Do NOT store secrets in plain text under your workspace. Prefer passing the key at runtime with --api-key or ask the maintainer to make the script read MINIMAX_API_KEY from the environment. - Local file upload: If you use cover mode with a local audio file, the script base64-encodes the file and sends it to the remote MiniMax endpoint. Only use local files you are comfortable sending to that service. - File edits and cleanup: The instructions ask you to edit and delete sections of the SKILL.md/generate.py. That is intrusive and easy to do incorrectly; keep backups and check file permissions. - Verify endpoints and trust: Confirm you trust the API host (https://api.minimaxi.com or .io) and the skill source. The SKILL.md contains an install URL in metadata but there is no automated install in the package — treat that as a minor inconsistency and verify downloads manually if used. What would reduce risk: require that the script be changed to read MINIMAX_API_KEY from environment variables (and not instruct users to embed keys in files), or provide clear guidance to pass --api-key at runtime; avoid instructing users to delete documentation sections; and document data sent to the API. If you are unsure, request the maintainer to update the skill so it reads credentials from the environment and do not paste secrets into repository files.