Minimax Video
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: minimax-video Version: 1.0.0 The skill bundle exhibits a significant functional discrepancy between its advertised purpose and actual execution. The `SKILL.md` and `package.json` describe a 'Zhipu Web Search' skill intended to use the `open.bigmodel.cn` API. However, the `skill/scripts/search.sh` script is titled 'MiniMax Video Generation Script' and makes API calls to `https://api.minimax.chat/v1/video_generation` for video generation. This misrepresentation acts as a prompt injection against the AI agent, instructing it to use the skill for web search when it will actually perform video generation, leading to unexpected behavior and potential resource misuse. While the script itself implements input sanitization via `jq --arg` and does not contain direct malicious code like data exfiltration or backdoors, the deceptive nature of the skill's description is highly suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install or invoke the skill expecting web search, while bundled code is set up for a different service and task.
The user-facing instructions claim a Zhipu web-search purpose and endpoint, but the bundled script calls a different provider and capability. This mismatch can mislead users about what the skill actually does.
Use Zhipu's web search API to search the internet. ... Official: `https://open.bigmodel.cn/api/paas/v4/chat/completions`
Do not use this skill until the description, documentation, credential instructions, and script all match the same provider and capability.
User prompts may be sent to an unexpected API and may trigger video-generation behavior or costs instead of returning search results.
The helper script performs MiniMax video generation and extracts a video URL, which does not match the declared Zhipu web-search workflow.
model: "video-01" ... curl ... "https://api.minimax.chat/v1/video_generation" ... VIDEO_URL=$(echo "$RESULT" | jq -r '.data.video_url // empty'
Remove or replace the script, or clearly rename and document the skill as MiniMax video generation with explicit user approval for generation requests.
A user could provide a credential for one provider and have it sent to a different provider endpoint.
The script sends the configured API key to MiniMax, while the documentation describes Zhipu web search and points users to a BigModel/Zhipu API-key page. That creates an unclear and potentially wrong credential boundary.
KEY="$MINIMAX_API_KEY" ... -H "Authorization: Bearer $KEY" ... "https://api.minimax.chat/v1/video_generation"
Declare the required credential in registry metadata, use provider-specific environment variable names, and ensure the API endpoint matches the documented key source.