ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Image Generator

v1.0.1

Expert image generation skill using MiniMax image-01. Use this skill ANY TIME the user asks to create, generate, make, or produce an image, visual, graphic,...

1· 101·0 current·0 all-time
byTony Simons@asimons81
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (image generation with MiniMax image-01) matches the included script and SKILL.md. However, the registry metadata lists no required environment variables even though SKILL.md and the script both gate on MINIMAX_API_KEY — this metadata omission is inconsistent and could mislead users about needed credentials.
Instruction Scope
Runtime instructions focus on prompt engineering, selecting parameters, calling the image generation API, and saving results to the workspace (~/.openclaw/workspace/images). The SKILL.md does not instruct the agent to read unrelated system files or exfiltrate unrelated data. It does permit subject_reference entries (URLs or base64) which may cause the agent to fetch user-supplied images; that behavior is consistent with the skill's purpose.
Install Mechanism
There is no install spec (instruction-only skill) and a single included Node script is provided. The script performs network calls to https://api.minimax.io and downloads generated images — expected for an image-generation skill. The external API host (minimax.io) has no homepage provided in the skill metadata, so users should verify the service's legitimacy before providing credentials.
!
Credentials
The script and SKILL.md require MINIMAX_API_KEY (and the SKILL.md even lists it in gates) but the registry 'Requirements' section lists no required env vars or primary credential. This mismatch is a material coherence problem: the skill legitimately needs one API key for its function, but the published metadata failing to declare it could confuse users and tooling managing secrets. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent/always-available privileges (always:false), does not modify other skills' configs, and only writes generated images to a workspace directory. It does not request elevated system access. Autonomous invocation is enabled by default but that is expected behavior for skills.
What to consider before installing
This skill appears to be a straightforward image generator, but exercise caution before installing: 1) The SKILL.md and script require MINIMAX_API_KEY though the registry metadata does not declare it — expect to provide that API key; 2) The skill sends prompts and image data to https://api.minimax.io (no homepage/source is provided) — verify the service is trustworthy before using a real API key or sending sensitive imagery; 3) Generated images are saved to ~/.openclaw/workspace/images — ensure you are comfortable with files being written there; 4) If you plan to install, confirm the owner/source and consider creating a scoped API key with limited privileges or using a throwaway key for initial testing. If you want higher assurance, ask the publisher for a homepage, privacy/security info for minimax.io, and updated registry metadata that declares MINIMAX_API_KEY explicitly.
scripts/generate-image.mjs:12
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972hd8j33aq65th8kjqxfkr9h83ckn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments