For using minimax mcp to generate audio, image, video to telegram.
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running an unverified npm package or MCP server could execute code outside the reviewed skill instructions.
The skill asks the user to install/run an external CLI and add an MCP server by name, but the artifact does not pin versions or identify a trusted source. This is expected for the integration, but it is still a supply-chain detail users should verify.
npm install -g mcporter ... npx mcporter --help ... mcporter mcp add minimax-mcp
Install mcporter and the MiniMax MCP server only from trusted sources, prefer pinned versions where possible, and review the package/server documentation before use.
Anyone who obtains the API key may be able to use the user's MiniMax account or consume paid quota.
The skill requires a MiniMax API key even though the registry metadata lists no required environment variables or primary credential. The key is purpose-aligned, but it grants provider access and possible billable usage.
export MINIMAX_API_KEY="your-api-key-here" ... "MINIMAX_API_KEY": "your-api-key-here"
Use a scoped or limited MiniMax key if available, keep configuration files private, and rotate the key if it is exposed.
Generated media and signed access URLs may be visible to Telegram recipients or anyone with access to the chat/logs.
The workflow sends MiniMax signed media URLs, including access tokens, through Telegram. This is necessary for the documented media-delivery flow, but it means the destination chat and any logs containing the URL can access the generated media until the token expires.
When MiniMax returns a URL, it includes a query string with authentication token. You MUST use the FULL URL including all query parameters. ... channel="telegram" ... media="<full_url_with_token>"
Send signed URLs only to intended trusted chats, avoid sensitive generated content, and regenerate media if a URL expires or is shared too broadly.
A video job may keep running after the chat turn ends, making cost, completion state, or cancellation less obvious.
The skill recommends background execution for long-running video generation. This is disclosed and tied to the purpose, but background jobs can continue after the visible interaction and may consume provider quota.
Video generation can take significant time (up to 20-30 minutes ...). ... ALWAYS run `generate_video` with `background: true` or inside a background process.
Confirm before starting long background video jobs, track their status, and provide a way to cancel or retry when possible.