ClawHub

minimax-plan-usage

Security checks across malware telemetry and agentic risk

Overview

This skill appears to only query MiniMax Token Plan usage, with a disclosed credential-use risk if the optional API host is misconfigured.

Install only if you are comfortable using a MiniMax Token Plan API key with this command. Keep MINIMAX_API_HOST unset or set only to an official MiniMax endpoint, and avoid running it in environments where another component could silently change that variable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tainted flow: 'url' from os.environ.get (line 14, credential/environment) → requests.get (network output)

Critical
Category
Data Flow
Content
def check_usage(api_key: str) -> dict:
    url = f"{API_HOST}/v1/api/openplatform/coding_plan/remains"
    resp = requests.get(url, headers={"Authorization": f"Bearer {api_key}"}, timeout=30)
    resp.raise_for_status()
    return resp.json()
Confidence
95% confidence
Finding
resp = requests.get(url, headers={"Authorization": f"Bearer {api_key}"}, timeout=30)

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal