For using minimax mcp to generate audio, image, video to telegram.
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: minimax-to-telegram Version: 1.0.0 The skill bundle is classified as suspicious due to its reliance on external command execution and dependency installation. The `SKILL.md` instructs the AI agent to install a global npm package (`mcporter`) and then execute `mcporter` CLI commands. This introduces a supply chain risk if the `mcporter` package itself is compromised, and creates a potential for shell injection vulnerabilities if user inputs are not properly sanitized when passed to `mcporter`. Additionally, the skill involves file system modification (`~/.mcporter/config.json`) and network I/O (sending media to Telegram), which are powerful capabilities that could be misused via prompt injection against the agent, even though the stated purpose is benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or running an unverified npm package or MCP server could execute code outside the reviewed skill instructions.
The skill asks the user to install/run an external CLI and add an MCP server by name, but the artifact does not pin versions or identify a trusted source. This is expected for the integration, but it is still a supply-chain detail users should verify.
npm install -g mcporter ... npx mcporter --help ... mcporter mcp add minimax-mcp
Install mcporter and the MiniMax MCP server only from trusted sources, prefer pinned versions where possible, and review the package/server documentation before use.
Anyone who obtains the API key may be able to use the user's MiniMax account or consume paid quota.
The skill requires a MiniMax API key even though the registry metadata lists no required environment variables or primary credential. The key is purpose-aligned, but it grants provider access and possible billable usage.
export MINIMAX_API_KEY="your-api-key-here" ... "MINIMAX_API_KEY": "your-api-key-here"
Use a scoped or limited MiniMax key if available, keep configuration files private, and rotate the key if it is exposed.
Generated media and signed access URLs may be visible to Telegram recipients or anyone with access to the chat/logs.
The workflow sends MiniMax signed media URLs, including access tokens, through Telegram. This is necessary for the documented media-delivery flow, but it means the destination chat and any logs containing the URL can access the generated media until the token expires.
When MiniMax returns a URL, it includes a query string with authentication token. You MUST use the FULL URL including all query parameters. ... channel="telegram" ... media="<full_url_with_token>"
Send signed URLs only to intended trusted chats, avoid sensitive generated content, and regenerate media if a URL expires or is shared too broadly.
A video job may keep running after the chat turn ends, making cost, completion state, or cancellation less obvious.
The skill recommends background execution for long-running video generation. This is disclosed and tied to the purpose, but background jobs can continue after the visible interaction and may consume provider quota.
Video generation can take significant time (up to 20-30 minutes ...). ... ALWAYS run `generate_video` with `background: true` or inside a background process.
Confirm before starting long background video jobs, track their status, and provide a way to cancel or retry when possible.