Minimax Usage
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can make an authenticated MiniMax API call and view account usage information for the account tied to the API key.
The skill uses the user's MiniMax API key to make an authenticated request. This is expected for the stated purpose and is disclosed, but the key is still sensitive account authority.
API_KEY="${MINIMAX_API_KEY}" ... --header "Authorization: Bearer $API_KEY"Use only a MiniMax API key you intend to expose to this local skill, keep it out of logs and shared environments, and rotate it if you later distrust the skill or host.
If you copy the webhook example, MiniMax usage details may be posted to Discord or another downstream service.
The documentation shows an optional workflow that pipes usage alerts to a Discord webhook. This is user-directed, but it can send account usage details to an external service if configured.
*/30 * * * * bash /home/claw/.openclaw/workspace/skills/minimax-usage/scripts/minimax-usage.sh --threshold 20 | discord-webhook
Only pipe the output to a webhook you control, avoid public channels, and verify what the downstream command does before scheduling it.