Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
For using minimax mcp to generate audio, image, video to telegram.
v1.0.0Generate images, audio, video using MiniMax MCP and send to Telegram. Use when user wants to create media with MiniMax and deliver it via Telegram.
⭐ 0· 839·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's description is consistent with the instructions (use MiniMax MCP via mcporter and deliver results to Telegram). However, the published metadata declares no required environment variables while the SKILL.md clearly requires MINIMAX_API_KEY (and MINIMAX_RESOURCE_MODE) — this metadata omission is an incoherence that can mislead users about what credentials are needed.
Instruction Scope
SKILL.md stays within the stated purpose (install mcporter, call MCP tools, then send returned URLs to Telegram). However it instructs the agent/user to read or set ~/.mcporter/config.json and to include full presigned URLs with query-string authentication tokens when sending media. The instructions therefore require access to a local config file and to share URLs that embed auth tokens; both are material behaviors that were not declared in the manifest.
Install Mechanism
There is no formal install spec (instruction-only), which is low risk for the skill bundle itself. The README tells users to install mcporter via npm (npm install -g mcporter or npx). Installing a global npm package is a normal, expected step but is an external action the user must trust; the skill does not automatically download or execute anything itself.
Credentials
The runtime instructions require MINIMAX_API_KEY and optionally MINIMAX_RESOURCE_MODE, but the registry metadata lists no required env vars or primary credential — this mismatch is a clear inconsistency. The SKILL.md also assumes a Telegram 'message' tool/integration will be available (and that the agent has Telegram credentials), but does not document any Telegram token or configuration requirement. The credential requests that do appear (MiniMax API key) are appropriate for the feature, but they are not declared in the skill metadata.
Persistence & Privilege
The skill is instruction-only, has no install spec, and does not request always: true or other elevated persistence. It does not attempt to modify other skills or system-wide configurations in its instructions.
What to consider before installing
Before installing or using this skill: (1) be aware the SKILL.md requires a MINIMAX_API_KEY (and MINIMAX_RESOURCE_MODE) but the published metadata does not list these — verify and supply the MiniMax API key only if you trust the MiniMax service. (2) The instructions explicitly tell you to send the FULL presigned URLs returned by MiniMax (they contain authentication tokens in the query string) to Telegram; anyone with that URL can access the media until the token expires — avoid sending sensitive content or use short-lived tokens and private chats. (3) The skill assumes a Telegram integration/message tool is available; check how your Telegram credentials are stored and who can access them. (4) Installing mcporter via npm is required — review that package and its source before installing a global npm package. (5) Ask the publisher to update the skill metadata to declare required env vars and any Telegram config requirements; that metadata mismatch is the primary coherence issue here.Like a lobster shell, security has layers — review code before you run it.
latestvk97aevrfr6esxf1gfttarhvby9819psx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.