Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax Vision Captcha
v1.0.0使用MiniMax视觉模型识别图片中的验证码、滑块位置、文字内容等。适用于需要AI视觉分析的场景,如微信验证码识别、网页截图分析、图片文字提取。当需要识别图片内容、分析验证码、提取截图信息时使用此技能。
⭐ 0· 1.1k·2 current·3 all-time
byNurmamat@ai-nurmamat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md, and the included script all consistently implement an image/captcha recognition helper that calls a MiniMax visual MCP via mcporter and uses OpenClaw browser screenshots. The files and commands requested are coherent with the stated purpose.
Instruction Scope
Runtime instructions tell the agent to take screenshots and call mcporter.minimax-coding-plan.understand_image — that matches purpose. However the included script will automatically look in /root/.openclaw/media/browser for screenshots if none provided (accessing local user/root files), and it constructs a shell command by interpolating user-supplied prompt and imagePath directly into a single string passed to execSync. That creates a command-injection risk and means the skill can read and submit arbitrary local images to the MCP.
Install Mechanism
No install spec or remote downloads — the skill is instruction-only with a small local Node script. Nothing is fetched from arbitrary URLs during install, which lowers supply-chain risk.
Credentials
The skill declares no environment variables or credentials, but SKILL.md says 'ensure MiniMax MCP is configured' and the script uses mcporter. Credentials/config required to call the MCP are not documented in requires.env or marketplace.json — an omission that reduces transparency. No unrelated credentials are requested.
Persistence & Privilege
Skill is user-invocable, not always:true, and does not request elevated or persistent platform privileges nor modify other skills' configurations.
What to consider before installing
This skill appears to do what it claims (solve captchas using a MiniMax visual service) but you should be cautious before installing: 1) The included script runs a shell command via execSync with prompt and image path interpolated verbatim — this is vulnerable to command injection if those values include malicious characters. Prefer a version that calls mcporter with an argument array (spawn/execFile) or properly escapes inputs. 2) The script will read the latest PNG from /root/.openclaw/media/browser if no image is given; make sure you are comfortable with the skill accessing that directory and that no sensitive screenshots could be sent to the MCP. 3) SKILL.md mentions MiniMax MCP must be configured, but the skill does not declare what credentials or endpoints are required — verify how mcporter is configured and where image data will be sent. 4) The skill author/source is not clearly verified (marketplace.json lists an author/link but the package source/homepage are missing) — consider running in a sandbox, review or rewrite the script to sanitize inputs, and confirm compliance with any site/service terms (captcha bypassing can violate terms of service).Like a lobster shell, security has layers — review code before you run it.
captchavk9775a1nabb02wwdb0k73cygwd8249salatestvk9775a1nabb02wwdb0k73cygwd8249saminimaxvk9775a1nabb02wwdb0k73cygwd8249savisionvk9775a1nabb02wwdb0k73cygwd8249sa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.