Back to skill
Skillv1.0.0
ClawScan security
Hailuo Video Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 5:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions match its stated purpose (calling MiniMax video generation APIs with a MINIMAX_API_KEY via curl); nothing in the package indicates unexplained or malicious behavior.
- Guidance
- This skill appears coherent and limited to calling MiniMax video APIs. Before installing: (1) Confirm you trust the MiniMax service at api.minimax.chat and only provide an API key you are willing to use with that provider. (2) If you use the optional callback_url, do not set it to internal or sensitive endpoints unless you understand that task metadata (and possibly links) will be posted there. (3) The examples use jq to parse JSON — install jq if you want to run the examples as-is. (4) Avoid placing unrelated secrets in ~/.openclaw/openclaw.json; the skill only expects skills.hailuoVideo.apiKey.
Review Dimensions
- Purpose & Capability
- okName, description, declared env var (MINIMAX_API_KEY), required binary (curl), and the endpoints in SKILL.md all align with a MiniMax video-generation integration. The config path (~/.openclaw/openclaw.json) is used only as an alternate place to read the API key, which is consistent with the stated purpose.
- Instruction Scope
- noteSKILL.md contains only curl calls to api.minimax.chat endpoints for create/query/download and instructions to read MINIMAX_API_KEY from env or a specific key in ~/.openclaw/openclaw.json. Minor inconsistency: example usage uses jq to parse responses (e.g., jq -r), but jq is not listed in required binaries. The docs include an optional callback_url parameter (legitimate for asynchronous workflows) — users should be cautious if supplying internal endpoints as callbacks because callbacks send task metadata externally.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files; nothing is downloaded or written to disk by the installer. This is the lowest-risk install profile.
- Credentials
- okOnly one credential (MINIMAX_API_KEY) is required and is used by the documented API calls. The single config path is only used to look up the same key. No unrelated secrets or excessive environment access are requested.
- Persistence & Privilege
- okalways is false, user-invocable is true, and the skill does not request persistent or elevated platform-wide privileges. It does not modify other skills' configuration.