ClawHub
Back to skill
v0.1.0

Minimax Tools

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:44 AM.

Analysis

This is a coherent MiniMax API wrapper, but it uses your MiniMax API key and can send selected local media files to MiniMax.

GuidanceBefore installing, make sure you trust the source, configure MINIMAX_API_KEY carefully, leave MINIMAX_BASE_URL unset unless you trust the alternate endpoint, and only provide audio, images, lyrics, or prompts that you intend to send to MiniMax. Also consider provider costs, quota usage, and consent for any voice-cloning inputs.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
README.md
Install dependency if needed:

```bash
pip install requests
```

The documented setup relies on installing an unpinned PyPI dependency; this is common and expected for a Python API wrapper, but it is still a supply-chain consideration.

User impactInstalling dependencies from PyPI can introduce risk if done in an uncontrolled environment or if dependency provenance is not checked.
RecommendationInstall dependencies in a trusted Python environment and consider pinning or auditing the requests package version in managed deployments.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/common.py
BASE_URL = os.environ.get("MINIMAX_BASE_URL", "https://api.minimaxi.com")
API_KEY_ENV = "MINIMAX_API_KEY"
...
h = {"Authorization": f"Bearer {get_api_key()}"}

The skill uses the MiniMax API key as a bearer token and allows an optional base URL override; this is purpose-aligned, but it is authenticated account access.

User impactThe skill can make authenticated MiniMax API calls that may use your account quota or billing, and a misconfigured base URL could send the key to a non-MiniMax endpoint.
RecommendationUse a dedicated MiniMax API key if possible, keep MINIMAX_BASE_URL unset unless you intentionally trust the alternate endpoint, and monitor provider usage.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/minimax_voice.py
with p.open("rb") as f:
    files = {"file": (p.name, f)}
    data = {"purpose": purpose}
    return request_multipart("/v1/files/upload", data=data, files=files, timeout=600)

Voice cloning uploads a user-selected local audio file to the MiniMax API; this is central to the feature, but voice data can be sensitive.

User impactAudio provided for cloning is sent to MiniMax and may represent a person's voice, which can have privacy, consent, and impersonation implications.
RecommendationOnly upload audio you are authorized to use, avoid private or third-party voice samples without consent, and confirm the configured API host before cloning.