MiniMax Token Plan Quota

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MiniMax quota checker with disclosed API-key use and local plaintext key storage guidance users should treat carefully.

Install only if you are comfortable letting the skill use your MiniMax API key to query MiniMax quota endpoints. Prefer an existing environment variable or one-off key for temporary use; if you store the key in ~/.openclaw/.env, restrict access to that file and rotate the key if it may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill instructs use of shell, network access, environment variables, and local file reads/writes but does not declare any permissions. This creates a trust and review gap: an agent or operator may approve the skill without understanding it can access secrets, read local files, and make outbound requests to external services.

Session Persistence

Medium

Category: Rogue Agent
Content: - If `~/.openclaw/.env` is missing or lacks `MINIMAX_API_KEY`, guide the user to add: ```bash mkdir -p ~/.openclaw printf "MINIMAX_API_KEY=你的key\n" > ~/.openclaw/.env ```
Confidence: 85% confidence
Finding: mkdir -p ~/.openclaw printf "MINIMAX_API_KEY=你的key\n" > ~/.openclaw/.env ``` ## Commands ### China mainland Token Plan quota ```bash MINIMAX_API_KEY='...' python3 scripts/check_token_plan_quota.py

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal