Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Minimax Image
v1.1.0Generate images using MiniMax API (image-01 model). Automatically optimizes prompts for better results. Use when user asks to generate images, create picture...
⭐ 0· 57·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (index.js) implements prompt optimization and calls an external image-generation API (model image-01) which is consistent with the skill name/description. The dependency (axios) is reasonable for HTTP calls. However, the registry metadata claims no required env vars while SKILL.md and the code require an API key, an inconsistency that reduces trust in the manifest.
Instruction Scope
SKILL.md instructs the agent to use MINIMAX_API_KEY or AIMLAPI_API_KEY and to call https://api.minimaxi.com/v1/image_generation; the runtime code follows that. The instructions do not request other files or broad system data. The concern is that the skill metadata does not declare the required env vars (so the skill may fail or prompt users unexpectedly), and the SKILL.md is the authoritative runtime instruction but is out of sync with the registry metadata.
Install Mechanism
There is no install spec (instruction-only install), which is lower risk. But the package includes code and package.json/package-lock.json with dependencies (axios). That implies the runtime environment must provide Node and install dependencies; the lack of an explicit install specification is an operational mismatch (not inherently malicious) and could cause surprises if dependencies are not installed automatically.
Credentials
The code requires a single API credential (MINIMAX_API_KEY or AIMLAPI_API_KEY), which is proportional for a third-party API. The problem is the registry metadata declares no required env vars/primary credential, creating a mismatch. Also confirm what provider 'minimaxi.com' is and whether the API key you provide is scoped appropriately — the skill will send prompts and any returned URLs to that external service.
Persistence & Privilege
The skill does not request permanent presence (always: false). It does not modify other skills or system configs. Autonomous invocation is allowed by default but not combined with other high-risk flags here.
What to consider before installing
This skill's code does what its description claims (optimizes prompts and calls an external image API), but the package/registry metadata and file manifests are inconsistent. Before installing: 1) Verify you trust the API host (https://api.minimaxi.com) and the origin of this skill; 2) Only provide an API key if you understand its scope and trust the service — the skill will send your prompt text to that endpoint; 3) Expect to need Node and to install dependencies (axios) since package.json is present but no install step is declared; 4) Note the registry metadata lists no required env vars while SKILL.md and index.js require MINIMAX_API_KEY or AIMLAPI_API_KEY — ask the publisher to fix the manifest/version mismatches (package.json/_meta.json vs SKILL.md/registry) before trusting automatic installs. If you cannot verify the provider or publisher, do not supply sensitive or reuse API keys.index.js:95
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97aer1pfvd10qcq0v4sj28wts83gv41
License
MIT-0
Free to use, modify, and redistribute. No attribution required.