MCP协议配置
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a user-directed MCP setup guide that matches its stated purpose, but users should notice that it installs external tooling and stores/uses a MiniMax API key for external MCP calls.
Before installing, verify the external packages and remote installer, store the MiniMax API key securely, and only enable MCP servers whose permissions you are comfortable granting to your agent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing these tools can run third-party code on the user's machine.
The setup relies on external packages and a remote installer without pinned versions. This is a normal setup pattern for an MCP guide, but it makes package/source verification important.
npm install -g clawhub ... curl -LsSf https://astral.sh/uv/install.sh | sh ... "args": ["minimax-coding-plan-mcp"]
Verify the npm package, uv installer, and MCP package sources before installing; prefer pinned versions or documented trusted install channels where possible.
If the user later configures broad MCP servers, the agent may gain access to files or third-party account actions.
The guide lists MCP servers that can expose filesystem or GitHub capabilities. They are only listed as common examples, not configured by default, but users should understand that adding such servers can broaden agent authority.
| filesystem-mcp | 文件系统操作 |\n| github-mcp | GitHub 操作 |
Enable only the MCP servers needed for the task, and apply the narrowest permissions, paths, and account scopes available.
The configured MCP server can use the user's MiniMax account quota and permissions associated with that API key.
The MiniMax MCP server is expected to use a provider API key. The artifact does not show credential leakage, but the key grants account/API access and is not declared in registry requirements.
"env": { "MINIMAX_API_KEY": "你的API密钥", "MINIMAX_API_HOST": "https://api.minimaxi.com" }Use a least-privilege API key, avoid sharing the config file, rotate the key if exposed, and remove it when the MCP server is no longer needed.
Images, prompts, or queries used with these tools may be processed by the external provider.
The skill shows MCP calls that send user prompts, image inputs, and search queries to a MiniMax-backed MCP server. This is disclosed and purpose-aligned, but it crosses a provider boundary.
call MiniMax.understand_image ... "image_source: /path/to/image.jpg" ... call MiniMax.web_search ... "query: 搜索内容"
Do not send confidential images, private documents, or sensitive queries unless the provider and account settings are acceptable for that data.