MiniMax MCP Search
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated MiniMax search/image purpose, but its Python wrapper builds shell commands from user inputs in a way that could let a crafted query or image prompt run commands on the computer.
Do not install this skill unless the shell-injection issue is fixed or you fully trust all inputs passed to it. If you use it, verify the mcporter package source, use a limited MiniMax API key, and avoid sending sensitive images.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted search term or image-analysis request could run commands with the agent user's local privileges.
The code runs a shell command built from user-controlled input without escaping or using a safe argument list. A crafted query, prompt, or image path containing quotes and shell metacharacters could execute unintended local commands.
subprocess.run(command, shell=True, ...); cmd = f'mcporter call minimax.web_search query:"{query}"'Change subprocess calls to use shell=False with an argument list, validate inputs, and avoid constructing shell strings from user-provided values.
Installing an unpinned global package can expose the environment to package compromise or unexpected future package changes.
The skill requires installing an external global npm package. This is purpose-aligned for using mcporter, but the artifacts do not pin a version or provide provenance details.
需要先安装 mcporter:`npm install -g mcporter`
Install mcporter only from a trusted source, prefer a pinned version, and verify the package before use.
The skill may use a MiniMax account credential already present on the system, which could incur account usage or expose provider access if mishandled.
The skill depends on a MiniMax API key stored in a configuration file. This is expected for a MiniMax integration, but the reviewed artifacts do not specify the config path, credential scope, or rotation guidance.
首次使用需配置 MiniMax API Key(已在配置文件中设置)
Use a least-privilege MiniMax key, confirm where it is stored, and rotate or revoke it if the environment is shared or untrusted.
Private or sensitive images selected for analysis may be sent to or processed by the external MiniMax service.
The image-understanding tool forwards the user-provided local path or URL through mcporter to the MiniMax MCP service. This is central to the stated feature, but users should understand that selected image content or references may be handled by the provider.
cmd = f'mcporter call minimax.understand_image prompt:"{prompt}" image_source:"{image_source}"'Only analyze images you are comfortable sharing with the configured MiniMax MCP service, and avoid sensitive local files unless the provider handling is acceptable.