Minimax Image Understanding
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for image understanding, but it uploads selected local images to third-party vision model providers and uses provider API keys.
This skill appears benign and purpose-aligned. Before installing or using it, confirm you are comfortable sending the selected images to MiniMax, OpenAI, or Anthropic; avoid confidential screenshots or document photos unless that is allowed by your data policy; set only the needed API key; and keep MINIMAX_API_HOST pointed at a trusted provider endpoint.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Images such as screenshots or document photos may leave the local machine and be processed under the selected provider's data handling terms.
The helper reads a local image and sends its base64 content to an external vision model provider; similar provider submission flows are present for MiniMax and Anthropic.
with open(image_path, "rb") as f: image_data = base64.b64encode(f.read()).decode("utf-8") ... requests.post("https://api.openai.com/v1/chat/completions", headers=headers, json=payload, timeout=60)Only use images you are comfortable sending to the chosen provider, and review that provider's retention and privacy settings for sensitive business material.
A misconfigured MiniMax host or overly broad provider key could expose account access or billing authority to the wrong endpoint.
The MiniMax API key is read from the environment and sent in an Authorization header to a configurable API host; OpenAI and Anthropic keys are also read from environment variables for provider calls.
API_HOST = os.environ.get("MINIMAX_API_HOST", "https://api.minimaxi.com") ... "-H", f"Authorization: Bearer {API_KEY}"Set only the API key for the provider you intend to use, keep MINIMAX_API_HOST on a trusted HTTPS provider endpoint, and use least-privileged or dedicated keys where possible.
Installation may appear dependency-free even though successful use depends on local runtime tools and provider credentials.
The registry contract omits setup requirements that appear in the artifacts, including provider API environment variables and runtime use of curl/requests.
Required binaries (all must exist): none ... Required env vars: none ... No install spec — this is an instruction-only skill.
Before use, verify that the needed Python dependencies and command-line tools are trusted and available, and treat the SKILL.md setup instructions as the effective credential requirements.