Skillv1.0.0

ClawScan security

Content Repurposer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:51 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (sends content to an external LLM API and writes repurposed outputs), but the package metadata omits a required API credential and there are a few small scope/visibility mismatches you should review before installing.
Guidance: Before installing or enabling this skill: (1) Confirm where MINIMAX_API_KEY should come from and whether you trust the minimax.chat endpoint — the script sends your content to that external service. (2) Do not pass sensitive secrets or proprietary content unless you accept that it will be transmitted to the external API. (3) The skill manifest does not declare the required environment variable; update the metadata or your deployment documentation so the requirement is explicit. (4) Note the CLI supports '@file' to read arbitrary local files — ensure you don't accidentally upload files with secrets. (5) If you need stronger assurance, run the included script in an isolated environment or inspect and run it manually to verify network behavior and logs. (6) If you plan to install at scale, ask the owner for the source/homepage or an official release so you can verify provenance.
Findings: [env_var_MINIMAX_API_KEY] expected: The script reads MINIMAX_API_KEY from the environment to authenticate API requests. This is expected for a generator that calls an external LLM service, but the skill metadata does not list this required env var — a manifest mismatch. [network_call_api_minimax_chat] expected: The code issues an HTTPS POST to https://api.minimax.chat/v1/text/chatcompletion_pro to perform generation. Network calls to an external LLM endpoint are expected for the claimed functionality.

Review Dimensions

Purpose & Capability: concernThe code calls an external generation API (https://api.minimax.chat) and expects MINIMAX_API_KEY in the environment, which is coherent with a content-generation skill. However, the registry metadata and SKILL.md declare no required environment variables or primary credential. That omission is inconsistent: a useful API key is necessary for the skill to function but is not declared in the manifest.
Instruction Scope: noteSKILL.md instructs running the included Python script and describes the outputs. The script will send the provided content (or the contents of a file if the CLI argument starts with '@') to the MiniMax API and write structured JSON/text files to an output directory. SKILL.md does not document the '@file' input form or explicitly warn that content will be transmitted to an external service; otherwise the runtime behavior aligns with the stated purpose.
Install Mechanism: okNo install spec (instruction-only + bundled script). Nothing is downloaded or extracted during install and code is included as plain Python — lower installation risk.
Credentials: concernThe script reads MINIMAX_API_KEY from the environment to authenticate to the external API. Requiring a single API key is proportionate to content generation, but the required credential is not declared in the skill metadata (requires.env / primary credential are empty). This mismatch could cause confusion and accidental misconfiguration; it also means the agent installer won't warn users that an API key is needed.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or global config, and does not request unusual system privileges. It writes outputs to a user-specified directory (default ./output).