Minimax Tts
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s files conflict about whether it is Zhipu web search or MiniMax text-to-speech, and its API-key/endpoint handling could send credentials or user text to an unexpected provider.
Review this skill carefully before installing. The safest choice is to wait for a corrected version with a consistent purpose, endpoint, credential name, and script path. If you still test it, use a temporary least-privilege API key, avoid sensitive text, and verify whether requests are going to Zhipu or MiniMax.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install or invoke this expecting web search, while the included code performs a different provider action.
The runnable script is for MiniMax TTS, contradicting the root SKILL.md and package description that present the skill as Zhipu web search/current-information access.
# MiniMax TTS Generation Script ... "https://api.minimax.chat/v1/t2a_v2"
Do not rely on this skill until the publisher makes the name, description, instructions, script, and provider endpoints consistent.
A credential could be used with, or exposed to, a provider different from the one the user expected.
The script sends MINIMAX_API_KEY as a bearer token to MiniMax, while SKILL.md tells users to get an API key from BigModel/Zhipu and the registry requirements declare no required credential.
KEY="$MINIMAX_API_KEY" ... -H "Authorization: Bearer $KEY" ... "https://api.minimax.chat/v1/t2a_v2"
Require a clearly named provider-specific key, declare it in metadata, and document exactly which service receives it before installation.
Search queries or text the user provides may be transmitted to an unexpected external service.
User-supplied text is sent to the MiniMax provider, but the main skill documentation frames the skill as Zhipu web search, leaving the actual data boundary unclear.
TEXT="$1" ... text: $text ... curl ... "https://api.minimax.chat/v1/t2a_v2" ... -d "$PAYLOAD"
Clearly disclose every external endpoint and data type sent, and ask users to avoid sending sensitive text unless they intend to share it with that provider.
The documented command may fail or cause the agent to choose a different file than the user expects.
The referenced helper name does not appear in the manifest, which contains skill/scripts/search.sh instead. This is a packaging/provenance inconsistency, though no hidden downloader or install-time execution is shown.
./tts.sh "搜索内容"
Publish a corrected package with matching filenames, slugs, and usage examples.
The agent can make network requests using the configured API key when this skill is invoked.
The skill allows outbound API calls through curl and JSON handling through jq. This is normal for an API integration, but it matters because the provider instructions are inconsistent.
allowed-tools: Bash(curl:*) Bash(jq:*)
Only use with a least-privilege test key and after verifying the intended endpoint.