ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Quota Query

v1.0.0

MiniMax Token Plan 额度查询工具。当需要查询 MiniMax API 使用量、剩余配额、额度重置时间时使用。支持查询 M2.7 文本、image-01 图片、Hailuo 视频、music-2.5 音乐、speech 语音等模型的用量。触发场景:用户问"查一下 MiniMax 额度"、"Toke...

0· 62·0 current·0 all-time
by@hongjiahao371-pixel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description state it queries MiniMax Token Plan and the included script and curl examples do exactly that against https://www.minimaxi.com/.... However the registry metadata does not declare the required credential or runtime even though the SKILL.md and script expect an API key (MINIMAX_API_KEY) and a Python 3 interpreter. The missing declaration is an inconsistency.
Instruction Scope
SKILL.md and scripts instruct only to call the stated MiniMax endpoint and to format/print returned quota data. The code does not read unrelated files, contact other endpoints, or attempt to access unrelated system state.
Install Mechanism
There is no install spec (instruction-only with an included script). The script is small, uses the standard library (urllib), and will not write or execute additional downloaded code. Note: it expects a Python 3 runtime to be available.
!
Credentials
The skill legitimately requires a single bearer token (MINIMAX_API_KEY) to call the MiniMax API, which is proportionate. However, the registry metadata does not list this required env var or a primary credential, so the manifest understates the secret access the skill needs. That omission reduces transparency and is a red flag.
Persistence & Privilege
The skill does not request persistent/global privileges (always is false) and does not modify other skills or system-wide settings. It only runs as invoked.
What to consider before installing
This skill appears to do what it says: call MiniMax's quota endpoint and print results. Before installing or running it, confirm the MiniMax endpoint/domain is legitimate and trusted (https://www.minimaxi.com). Do not paste your API key into unknown packages; prefer running the provided script locally so you control the environment and can inspect requests. Ask the publisher to update the package metadata to declare MINIMAX_API_KEY (and that Python 3 is required) so the need for a secret is explicit. If you must provide a key, ensure it has minimal scope and rotate it afterward if you become uncertain. Finally, note the odd 'uv run' invocation in the README — the script itself requires python3; verify how your agent/runtime will execute it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2r3zn48tm8qn358xqq53zd83ce04

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments