8917 Minimax Toolkit
PassAudited by VirusTotal on May 9, 2026.
Overview
Type: OpenClaw Skill Name: 8917-minimax-toolkit Version: 0.2.4 The 8917-minimax-toolkit is a legitimate multi-modal toolset for interacting with the MiniMax API. While it performs sensitive actions such as reading API keys from `~/.openclaw/openclaw.json` and uploading user-provided media files (images/audio) for processing, these behaviors are explicitly documented in `SKILL.md` and `references/8917-minimax-toolkit-trust-note.md`. The code in `scripts/minimax_client.py` and `scripts/executor_common.py` shows that data is only transmitted to official MiniMax endpoints (e.g., api.minimaxi.com). There is no evidence of data exfiltration to unauthorized third parties, malicious execution, or subversion of the AI agent's instructions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may allow it to spend MiniMax quota or access MiniMax services under the user's configured account key.
The skill can read a MiniMax API key from the user's OpenClaw configuration if MINIMAX_API_KEY is not set; this is disclosed and purpose-aligned, but it is still account credential access.
config_path = os.path.expanduser("~/.openclaw/openclaw.json") ... if "minimax" in name.lower(): return cfg.get("apiKey")Use a dedicated MiniMax Token Plan key where possible, confirm the key source before running commands, and rotate the key if you no longer trust the skill.
Private images, audio, video, text, or voice samples used with the skill may be uploaded to MiniMax for processing.
The skill explicitly sends user-provided text/media to a third-party provider for generation workflows; this is expected for the integration but important for privacy.
This skill may send user-provided media to MiniMax APIs in these cases: image generation / image-to-image ... voice cloning / voice design ... music generation
Do not submit sensitive media unless you accept MiniMax processing it; obtain consent before using other people's voice or media samples.
Users have less external provenance information for verifying who maintains the skill or where updates originate.
The registry metadata does not provide an upstream source or homepage, which reduces provenance transparency even though the included artifacts are coherent and the static scan is clean.
Source: unknown; Homepage: none
Review the included scripts and references before installation, especially because the skill handles API credentials and media uploads.