Skillv1.1.0

ClawScan security

Feishu BGM · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 10, 2026, 4:14 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description matches its behavior, but the package metadata fails to declare the required MiniMax API credential and a few other small inconsistencies make this install worth caution.
Guidance: This skill appears to do what it says (generate BGM via MiniMax and send it to Feishu), but the registry metadata incorrectly omits the required MiniMax credential. Before installing: (1) verify you are comfortable giving an API key to the MiniMax service (api.minimaxi.com) and ensure the key has limited scope/quotas; (2) confirm how the 'message' tool sends files (that it posts only to the Feishu group and not to other endpoints); (3) inspect the mmx-cli project and the included scripts/generate_bgm.py (already bundled) to ensure no additional network endpoints or unexpected behavior; (4) ask the skill author to update the registry metadata to declare MINIMAX_API_KEY (or equivalent) so permissions are explicit. If you cannot verify those points or do not trust the MiniMax service/author, do not install or provide your API key.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (generate BGM for Feishu groups via MiniMax) matches the instructions and the bundled Python script. However, registry metadata reports no required environment variables or primary credential while the SKILL.md and scripts clearly require MiniMax authentication (CLI login or MINIMAX_API_KEY). That mismatch is unexpected and should be corrected by the author.
Instruction Scope: okRuntime instructions are narrowly scoped to: install/use the MiniMax CLI, or call the provided Python script to request audio from MiniMax, then send the resulting MP3 to the Feishu chat via a 'message' tool. The instructions do not request unrelated system files or other external services beyond MiniMax and Feishu messaging.
Install Mechanism: okThere is no automated install spec; the SKILL.md instructs the user to install a public npm package (mmx-cli) and optionally run the included Python script. The npm package referenced points to a GitHub repo in the doc link; no obscure download URLs or archive extraction are used in the skill itself.
Credentials: concernThe Python script requires a MINIMAX_API_KEY environment variable and the SKILL.md documents CLI authentication (API key or OAuth). Yet the registry metadata lists no required env vars or primary credential. The API key request is proportional to the stated purpose, but the failure to declare it in metadata is a security/process concern. Confirm where and how the API key will be stored and used, and whether the key must have limited scope/quotas.
Persistence & Privilege: okThe skill does not request always:true and has no install-time behavior that modifies other skills or system-wide configs. It operates on-demand and writes only its generated audio to /tmp/openclaw or other provided paths.