ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax套餐查询

v1.0.0

获取 MiniMax 平台的套餐信息,包括套餐名称、额度、当前使用情况。当用户询问 MiniMax 套餐、额度使用情况、API 调用量、计费信息时使用此技能。

0· 245·0 current·0 all-time
by杨帆@asio-o
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose is to retrieve MiniMax plan/usage info; the script automates a browser to open the MiniMax billing page and scrape text, which is a plausible implementation. However, the code also searches for API keys (pattern sk-cp-...) which is not mentioned in the SKILL.md outputs — this extra capability should be explicitly documented.
!
Instruction Scope
SKILL.md instructs the user to run the provided script and describes returned fields (plan name, quota, usage); it does not mention extracting API keys. The script evaluates page DOM and runs regex to find API keys and returns/prints them. That is scope creep: the runtime instructions do not disclose that secrets visible in the page will be extracted and printed.
Install Mechanism
No install spec in the registry; the script requires the third-party package Playwright and a browser runtime (the script prints a message to pip install/playwright install chromium). This is expected for browser automation and no arbitrary remote downloads or obscure installers are embedded in the skill bundle.
!
Credentials
The skill does not request environment variables, which is good, but it programmatically searches the page for API keys and prints them. Extracting and exposing API keys (or other secrets displayed in the page) is a sensitive action not justified or disclosed by the SKILL.md output list.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges or modify other skills or system-wide configuration. It runs as an on-demand local script and opens a visible browser instance (headful).
What to consider before installing
This skill will open a local browser and scrape the MiniMax billing page for plan/usage information. However, its code also searches the page text for API-key-like strings (regex for 'sk-cp-...') and will print/return any matches — a sensitive behavior that is not documented in SKILL.md. Before installing or running: 1) Inspect the script yourself or ask the publisher to explicitly disclose API-key extraction and whether keys are stored, transmitted, or logged. 2) If you want only plan/usage info, remove or disable the api_key extraction lines in scripts/get_plan.py (the JS evaluation and the regex for sk-cp-...). 3) Run the script in a trusted, isolated environment and do not run it while unrelated accounts/pages are open in the same browser profile (the script can read any DOM the browser can access). 4) Consider changing prints to redact keys (e.g., show only last 4 chars) and avoid returning secrets in machine-readable results. If the publisher cannot justify extracting keys, treat this as a reason not to use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734g0qfr12xxd9epbs15ycmx82nq9a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments