ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mmx

v1.0.0

Multimodal content generation and analysis via MiniMax CLI, including text chat, image/video creation, speech synthesis, music, vision, and web search with A...

0· 41·0 current·0 all-time
by@ariffazil
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CLI-centric multimodal tool (mmx) and the commands in the file line up with that purpose. However the registry metadata provided with the skill claims no required binaries or credentials while the SKILL.md frontmatter and content explicitly expect the 'mmx' executable and an API key. This discrepancy between declared requirements and the instructions is inconsistent.
!
Instruction Scope
Runtime instructions tell the agent to run many mmx CLI commands and to perform authentication via 'mmx auth login --api-key <your-api-key>'. The docs also demonstrate piping to other system tools (mpv, jq, cat) and use of local files/URLs. Those auxiliary binaries and the need to supply an API key are not declared elsewhere; the instructions therefore reference system state and tools outside the skill's declared surface.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installer risk. Nothing in the package attempts to download or execute external code by itself.
!
Credentials
The SKILL.md requires an API key for 'mmx auth login' but the skill does not declare any required environment variables or primary credential in the registry metadata. That omission means the skill's credential needs are not made explicit. Additionally, commands reference other local tools (mpv, jq) which might require additional permissions or environment setup; those are not declared either.
Persistence & Privilege
The skill is not marked always:true and is user-invocable; it does not request persistent presence or claim privileges to alter other skills or system-wide settings. No install actions are present that would grant it additional persistence.
What to consider before installing
This skill is a CLI usage guide for a third-party 'mmx' tool. Before installing/using it: 1) Verify the origin and integrity of the mmx CLI (source URL or package repo), because the skill assumes that binary is installed and trustworthy. 2) Expect to provide an mmx API key — confirm how that key is stored/used; the skill did not declare any environment variable for it. 3) Note the examples call other local binaries (mpv, jq, cat); ensure you have or trust those tools before piping data to them. 4) Ask the skill author or publisher for a homepage/source repository and an explicit list of required binaries and credentials; absence of those details is the main inconsistency. 5) If you will run commands from this skill, run them in a controlled environment (sandbox/container) until you've validated the CLI and API endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk976yp9a8193jvexpk0092gjxn84s35c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments