Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
minimax-img
v1.0.0Use MiniMax image-01 model to generate images from text prompts. Supports high-quality PNG output, downloaded from Hailuo CDN. Install when needed.
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description and SKILL.md advertise image generation via MiniMax image-01, which the script implements. However, the shipped script (scripts/minimax_media.py) also implements text-to-speech (TTS) functionality (speech-2.8-hd) that is not advertised in the README or description — scope creep. Also the registry metadata lists no required environment variables while SKILL.md and the script require MINIMAX_API_KEY (and optionally MINIMAX_BASE_URL). These mismatches suggest the package metadata is incomplete or not aligned with the code.
Instruction Scope
Runtime instructions are simple (run python scripts/minimax_media.py image "prompt"). The script performs HTTP requests to the MiniMax API and downloads images from returned URLs (CDN). It writes files to /tmp-like locations using tempfile.mktemp, which is insecure (race condition) and may lead to predictable temporary filenames. Aside from network I/O and writing temp files, the instructions do not ask the agent to read unrelated files or other environment variables. Still, the undocumented TTS command expands the agent's behavior surface beyond what the SKILL.md focuses on.
Install Mechanism
There is no install spec; this is instruction-only with an included script. That minimizes install-time risk (no arbitrary downloads or archive extraction). The script depends on the 'requests' Python package but does not attempt to install it automatically; that is a normal runtime dependency. No external install URLs or archive extraction are present.
Credentials
The script requires a single API credential (MINIMAX_API_KEY) to call the MiniMax API, which is proportional to its purpose. However, the registry metadata claims 'Required env vars: none' while SKILL.md and the code explicitly require MINIMAX_API_KEY and support MINIMAX_BASE_URL — this mismatch is concerning because the declared privileges do not match actual runtime needs. Requesting the API key is expected, but the omission from registry metadata reduces transparency.
Persistence & Privilege
The skill does not request always: true and is user-invocable only. It does not modify other skills or system-wide configuration. It runs on demand and does not request persistent system presence.
What to consider before installing
This package largely does what it says (generate images via MiniMax) but there are some red flags to consider before installing: 1) The registry metadata does not list MINIMAX_API_KEY even though the script requires it — confirm you trust the source before handing over an API key. 2) The included script also supports TTS (text-to-speech) which is not advertised in the README/SKILL.md; if you don't want TTS functionality present, avoid installing. 3) The script uses tempfile.mktemp (insecure) to create temporary files; run it in a sandbox or review/patch the code to use tempfile.mkstemp or NamedTemporaryFile to avoid race conditions. 4) The script performs outbound network calls and downloads images from CDN URLs returned by the API — ensure your environment allows such egress and that the key you provide has limited permissions. If you plan to use this skill, verify the MINIMAX_API_KEY's scope, confirm the publisher is trustworthy, and consider running the script in an isolated environment first.Like a lobster shell, security has layers — review code before you run it.
latestvk974zt6rg6ng6abwaq904fcvah83ha75
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎨 Clawdis
Binspython