国内Minimax Coding Plan订阅计划用量查询
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: minimax-coding-plan-usage Version: 1.0.0 The skill is classified as suspicious primarily due to the `minimax-coding-plan-usage.sh` script sourcing a `.env` file from `../../.env`. This path suggests it attempts to load a global OpenClaw configuration file (e.g., `~/.openclaw/.env`), which contradicts the `SKILL.md` instructions to create a `.env` file in the skill's local directory. While the script only explicitly uses `MINIMAX_CODING_API_KEY` and `MINIMAX_GROUP_ID`, loading a potentially global `.env` file means all variables within it would be exposed to the script's environment, representing a broader permission than necessary and a potential information exposure risk, even without clear malicious intent to exfiltrate them. The network calls are to a legitimate Minimax API endpoint (platform.minimax.com) and do not show signs of data exfiltration to unauthorized destinations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill could execute shell content from an unexpected parent .env file, not just read the two Minimax variables.
The script shell-sources a .env file two directories above the script. In bash, sourcing a file can execute commands in that file, and this path conflicts with the documented same-directory .env setup.
source "$(dirname "$0")/../../.env"
Change the script to load only the documented same-directory .env file, parse only the needed variables without shell-sourcing arbitrary content, and document the exact path used.
Users may not realize the skill needs account-level Minimax credentials or where it will read them from.
The skill uses a Minimax bearer API key, but the registry metadata declares no primary credential and no required environment variables, and the script obtains it from a broader parent .env path.
API_KEY="${MINIMAX_CODING_API_KEY}" ... --header "authorization: Bearer $API_KEY"Declare MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID in metadata, document the credential scope, and keep credential loading limited to the expected file.
A user may try to run a missing or different script than the one reviewed.
The documented command references minimax-usage.sh, while the provided file manifest contains minimax-coding-plan-usage.sh. This packaging mismatch is not malicious by itself, but it can confuse which file should be run.
./minimax-usage.sh
Align the documented command, included filename, and script comments; also declare runtime dependencies such as curl and jq.