Back to skill
Skillv1.0.0
ClawScan security
Minimax Image Understanding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 8, 2026, 9:56 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill generally matches its stated purpose (sending a local image to a chosen multimodal model and returning a description) but has implementation inconsistencies (undeclared dependencies and an unexpected use of curl) and sends full image data to external endpoints — review dependencies and trust of remote APIs before installing.
- Guidance
- This skill appears to do what it says (send a local image to a selected multimodal model and return a description), but before installing or using it you should: - Confirm dependencies: ensure the runtime has the 'curl' binary (used by the MiniMax path) and the Python 'requests' package (used for OpenAI/Anthropic). The skill's metadata incorrectly states "no required binaries". - Consider privacy: the script base64-encodes and sends the entire image to remote APIs. Do not use it on images containing sensitive or private data unless you trust the target service and understand its retention policy. - Verify provider endpoints and keys: validate MINIMAX_API_HOST if you set it (default is https://api.minimaxi.com) and never hard-code API keys; supply them via environment variables as instructed. - Review model choice and costs: using OpenAI/Anthropic may incur usage charges and have different input formats/limits — test with non-sensitive images first. If you want stronger assurance, request an updated skill package that explicitly documents runtime dependencies (curl, requests) and includes checks that fail with clear messages when dependencies are missing.
Review Dimensions
- Purpose & Capability
- okName/description (image understanding via MiniMax/OpenAI/Anthropic) align with the included script and SKILL.md: the code reads a local image, base64-encodes it, and sends it to the selected model provider for analysis. Required environment variables listed in SKILL.md correspond to the providers used.
- Instruction Scope
- noteRuntime instructions and the script are scoped to reading a local image file and sending it to a model provider; they do not access unrelated system files or secrets. However the skill will transmit the entire image (base64) to remote APIs, so image confidentiality and provider trust are relevant security considerations that the user should evaluate.
- Install Mechanism
- concernNo install spec is provided, but the script relies on external tools/libraries: it calls the 'curl' binary for the MiniMax path and imports the Python 'requests' module for OpenAI/Anthropic. The registry metadata claims 'required binaries: none' which contradicts the actual script requirements — this omission can cause runtime failures and indicates incomplete packaging/ documentation.
- Credentials
- okThe env vars mentioned (MINIMAX_API_KEY, MINIMAX_API_HOST, OPENAI_API_KEY, ANTHROPIC_API_KEY) match the services the skill integrates with and are proportionate to its purpose. No unrelated credentials or additional config paths are requested.
- Persistence & Privilege
- okThe skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. It runs on demand and does not persist credentials or change agent configuration.