国内Minimax Coding Plan订阅计划用量查询
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill could execute shell content from an unexpected parent .env file, not just read the two Minimax variables.
The script shell-sources a .env file two directories above the script. In bash, sourcing a file can execute commands in that file, and this path conflicts with the documented same-directory .env setup.
source "$(dirname "$0")/../../.env"
Change the script to load only the documented same-directory .env file, parse only the needed variables without shell-sourcing arbitrary content, and document the exact path used.
Users may not realize the skill needs account-level Minimax credentials or where it will read them from.
The skill uses a Minimax bearer API key, but the registry metadata declares no primary credential and no required environment variables, and the script obtains it from a broader parent .env path.
API_KEY="${MINIMAX_CODING_API_KEY}" ... --header "authorization: Bearer $API_KEY"Declare MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID in metadata, document the credential scope, and keep credential loading limited to the expected file.
A user may try to run a missing or different script than the one reviewed.
The documented command references minimax-usage.sh, while the provided file manifest contains minimax-coding-plan-usage.sh. This packaging mismatch is not malicious by itself, but it can confuse which file should be run.
./minimax-usage.sh
Align the documented command, included filename, and script comments; also declare runtime dependencies such as curl and jq.