Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax PDF Analysis V2
v1.0.0Analyze PDF files using MiniMax API. Supports text extraction, keyword search, and image-based VLM analysis (converts PDF pages to images first). Requires Mi...
⭐ 0· 250·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (PDF extraction, search, VLM) align with the included Python scripts. Required binaries (python, node) and MINIMAX_API_KEY are reasonable for the VLM feature. However, the bundled Node tool exposes an additional 'web_search' capability and a generic 'understand_image' CLI that can POST arbitrary images or local files to api.minimax.io — this web-search functionality is not documented in SKILL.md and expands the skill's surface beyond the stated PDF-focused purpose. README also references a different domain (platform.minimaxi.com) which is inconsistent with api.minimax.io.
Instruction Scope
SKILL.md instructs running the Python scripts and setting MINIMAX_API_KEY, which is expected. But the codebase contains a Node tool that can perform web searches and convert arbitrary local files to base64 and send them to the MiniMax API. The SKILL.md does not warn that running the Node tool or some modes will upload local file contents (including arbitrary file paths) to a remote service; that could result in inadvertent leakage of sensitive local data if a user or agent invokes those tools.
Install Mechanism
No remote install/downloads or archive extraction are specified; the skill is instruction+source-only. No external installers are executed by the manifest. That lowers supply-chain risk compared with arbitrary downloads.
Credentials
Only MINIMAX_API_KEY is required, which is proportional to calling MiniMax APIs. Be aware that the provided API key will be sent to api.minimax.io when using VLM or web_search; any content you send (images, prompts, extracted text) will be transmitted to that service. The README/SKILL.md request a 'Coding Plan' key (sk-cp-*) which is consistent with the code, but domain references are inconsistent which merits verification.
Persistence & Privilege
The skill does not request always:true, does not alter other skills or system-wide config, and is user-invocable by default. It does not request persistent elevated privileges.
What to consider before installing
This skill appears to implement the advertised PDF extraction/search and image-VLM flows, but it also includes a Node CLI tool that can: (1) perform web searches via the Coding Plan API, and (2) read local image files (or any file path you pass) and upload them as base64 to api.minimax.io. Before installing or using: - Do not provide your primary/privileged API key unless you trust api.minimax.io; consider a restricted or throwaway key for testing. - Avoid running the vision/web_search tools on sensitive PDFs or arbitrary local file paths (they will upload file contents). - Verify the API host and key provisioning URL (manifest references api.minimax.io; README references platform.minimaxi.com — confirm correct endpoints). - If you only need offline text extraction/search, run the Python extract/search scripts without setting the API key or invoking vision. - If you plan to allow autonomous agent invocation, know that an agent could call the Node tool or vision mode and thereby send local file contents to the remote service; restrict agent permissions or review invocation policies. If you want greater assurance, inspect and run the scripts in an isolated environment and audit network calls (e.g., with a firewall) before using with sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk978t5kqgn0rjts7yft6skgkys83h5dk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📄 Clawdis
Binspython, node
EnvMINIMAX_API_KEY