Back to skill
Skillv1.1.0
ClawScan security
Minimax Usage Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 29, 2026, 1:03 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and included script are consistent with its stated purpose of checking Minimax Coding Plan usage and do not request unrelated credentials or perform unexpected network calls.
- Guidance
- This skill appears coherent and limited to querying the Minimax usage endpoint. Before installing: (1) Only provide the MINIMAX_API_KEY (do not reuse broader credentials). (2) If you add the cron example, review any notification webhook or email code you add — the example leaves webhook notification as a placeholder. (3) Confirm the endpoint (https://www.minimaxi.com) is the intended provider for your account. (4) Optionally inspect the included script to ensure logging or error handling meets your privacy needs (the script does not print the API key).
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill only needs curl and MINIMAX_API_KEY to call the documented Minimax endpoint and report usage. Nothing requested (no extra credentials, no unrelated binaries) appears out of scope.
- Instruction Scope
- okSKILL.md and the included script instruct the agent to call the Minimax API endpoint, parse the JSON response, and optionally emit JSON or human-readable output. The instructions do not read unrelated system files or environment variables, nor do they send data to third-party endpoints beyond the Minimax API (example cron shows where a user could add a webhook, but no external webhook is hard-coded).
- Install Mechanism
- okNo install spec is provided (instruction-only with a bundled script), so nothing is downloaded or installed automatically. The included shell script runs locally and uses only curl and standard shell tools.
- Credentials
- okOnly MINIMAX_API_KEY is required and is declared as the primary credential. That key is appropriate and necessary for the described API calls; no unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is user-invocable and not forced-always. It does not modify other skills or agent-wide settings. The README suggests a cron example (user-controlled) but the skill itself does not install persistence.