OpenClaw MiniMax Media

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent setup guide for a MiniMax media plugin, but installing it means trusting an external npm package and protecting a MiniMax API key.

This skill appears suitable if you intend to install the MiniMax media plugin. Before installing, verify the npm package and GitHub project, use the pinned version if possible, and only configure a MiniMax API key you are comfortable letting the plugin use.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing the plugin will add external package code to the user's OpenClaw environment.

Why it was flagged

The skill's main action is to install a third-party npm-hosted OpenClaw plugin. This is disclosed and purpose-aligned, but the plugin package contents are outside the provided artifacts.

Skill content

openclaw plugins install npm:@jwongart/openclaw-minimax-media --pin

Recommendation

Verify the npm package and publisher, prefer the pinned specific-version install when possible, and review the plugin before giving it a real API key.

#ASI03: Identity and Privilege Abuse

Low

What this means

A real API key may allow usage of the user's MiniMax account or paid plan.

Why it was flagged

The plugin is configured with MiniMax credentials in OpenClaw config or environment variables. This is expected for the MiniMax provider integration, but it is sensitive account authority.

Skill content

"apiKey": "YOUR_MINIMAX_CODING_PLAN_API_KEY" ... MINIMAX_CODE_PLAN_KEY ... MINIMAX_CODING_API_KEY ... MINIMAX_API_KEY

Recommendation

Use a dedicated, least-privilege key if available, store it securely, avoid committing it to source control, and rotate it if exposed.

#ASI02: Tool Misuse and Exploitation

Low

What this means

Using the tools may transmit task content to MiniMax and may incur provider usage costs.

Why it was flagged

After installation, the plugin exposes provider-backed media generation, image understanding, TTS, and web search tools. This matches the stated purpose but can send prompts or selected content to the provider and may consume quota.

Skill content

The plugin registers these OpenClaw tools: `minimax_image`, `minimax_image_generate`, `minimax_music_generate`, `minimax_video_generate`, `minimax_tts`, `minimax_web_search`

Recommendation

Confirm intended tool use before sending sensitive prompts or media, and monitor MiniMax usage limits or billing.