ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Video Generator

v1.0.0

Generate videos using MiniMax by uploading start/end frames or describing scenes, then query status and download results.

0· 160·0 current·0 all-time
by@hongjiahao371-pixel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description match the code: scripts call a MiniMax API to generate, query, and download videos. However the registry metadata claimed no required config or credentials while both SKILL.md and all three scripts explicitly read an API key from ~/.openclaw/openclaw.json — the skill will not work without that key and the manifest failed to declare this requirement.
Instruction Scope
SKILL.md and the scripts are narrowly scoped to (1) read a MiniMax apiKey from ~/.openclaw/openclaw.json, (2) POST to /v1/video_generation, GET to /v1/query/video_generation and /v1/files/retrieve, and (3) download a file to a local path. The scripts do not attempt to read other system files or call arbitrary endpoints, but they do read the user's OpenClaw config file (which may contain other provider entries) to extract the apiKey.
Install Mechanism
This is an instruction-only skill with included scripts and no install spec. Nothing will be downloaded or written to system locations by an automated installer; the scripts run locally when invoked.
!
Credentials
The skill requires an API key but the registry metadata lists no required env vars or config paths. Instead the code reads ~/.openclaw/openclaw.json to find minimax-cn.apiKey. This mismatch (undeclared credential/config dependency) is the main proportionality issue. The scripts only use a single provider key (minimax-cn) and do not explicitly exfiltrate other credentials, but they do parse your OpenClaw config file to obtain it.
Persistence & Privilege
The skill does not request permanent/always-on installation, does not modify other skills or system-wide settings, and does not persist new credentials. It simply reads the OpenClaw config and performs network calls when run.
What to consider before installing
Before installing or running this skill: (1) know that the scripts will read ~/.openclaw/openclaw.json to obtain a minimax-cn apiKey even though the registry metadata didn’t declare this — ensure that file contains only the key you intend to use (create a dedicated MiniMax key if possible). (2) Network activity: the scripts will send that API key in an Authorization: Bearer header to api.minimaxi.com and will download remote files (the download script follows redirects). Verify you trust the MiniMax endpoints and the source of any file URLs. (3) Review output paths before downloading to avoid overwriting important files. (4) If you want stricter control, set a dedicated config with only the MiniMax apiKey or modify the scripts to accept an explicit env var/API key rather than reading the shared OpenClaw config. (5) The skill’s manifest should have declared the config dependency — consider asking the author to update metadata and documentation for transparency.

Like a lobster shell, security has layers — review code before you run it.

latestvk970vtm8fr00eg4nq9snsywstx83aeha

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments