ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-websearch

v1.0.1

提供基于 MiniMax Token Plan 的免费网络搜索功能,支持自动切换到 Brave Search 和 Qwen Chat 作为备用方案。

0· 64·0 current·0 all-time
by@godiao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the implementation: the Node script launches a local minimax_mcp.server and calls the web_search tool. However the registry metadata claims no required environment variables or primary credential while the SKILL and script clearly require MINIMAX_API_KEY (and optionally MINIMAX_PYTHON/MINIMAX_API_HOST). This metadata omission is an inconsistency.
Instruction Scope
SKILL.md instructs creating a Python venv, installing minimax-coding-plan-mcp, adding MINIMAX_API_KEY to openclaw.json, and running the Node script. Those instructions are scoped to the task, but they reference and rely on host config files (openclaw.json) and hardcoded E:\.uv-venv paths which broaden the scope and may not apply to all users.
Install Mechanism
There is no automatic install spec; the user is told to pip install minimax-coding-plan-mcp into a venv. This is low-risk compared to arbitrary download-and-extract installs, but it does require installing a third-party package (minimax-coding-plan-mcp) whose provenance you should verify.
!
Credentials
The script legitimately needs MINIMAX_API_KEY and optionally MINIMAX_PYTHON and MINIMAX_API_HOST. Those env vars are reasonable for this purpose, but they are not declared in the registry metadata (so the skill underreports the credentials it needs). The script also uses a hardcoded E:\ venv path on Windows for certifi and the Python executable default; MINIMAX_PYTHON lets an operator point to any Python binary (which could execute arbitrary code), so ensure that the Python you point to and the minimax package come from trusted sources.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and has no install spec that writes system-wide config. It runs only when invoked (user-invocable); autonomous invocation is allowed by default but not combined with other high-risk flags here.
What to consider before installing
This skill is coherent with its stated purpose but exercise caution before installing: 1) The skill requires MINIMAX_API_KEY (and optionally MINIMAX_PYTHON/MINIMAX_API_HOST) even though the registry metadata doesn't list them — verify where you store the API key (adding it to openclaw.json will expose it to the gateway process). 2) Verify the minimax-coding-plan-mcp package (pip) and the MINIMAX_API_HOST domain (https://api.minimaxi.com) are legitimate and from a trusted source. 3) Avoid pointing MINIMAX_PYTHON to an untrusted Python binary — that binary will be launched and can run arbitrary code. 4) The skill assumes an E:\.uv-venv layout on Windows; adapt paths to your environment and review the REQUESTS_CA_BUNDLE behavior if you have custom cert stores. If you want higher assurance, ask the author for: (a) explicit registry requires.env entries, (b) the minimax-coding-plan-mcp package source/hash, and (c) an option to provide the API key at runtime rather than storing it globally in openclaw.json.
scripts/minimax_websearch.js:59
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972e3eqzqzv4ymzad8tmq8gbd83gp4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments