Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax Media
v1.0.5MiniMax media skill for voice, image, video, and music generation. Use when the user asks for MiniMax, TTS, text-to-speech, voice, image generation, image-to...
⭐ 0· 120·2 current·2 all-time
by@lqqk7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a media-generation CLI that uses MINIMAX_API_KEY and MINIMAX_API_HOST, which is consistent with a media service. However the registry metadata declares no required environment variables and there is no bundled code or install that provides the referenced scripts/minimax. This mismatch makes it unclear how the skill would function and why the metadata omits the API credential it appears to need.
Instruction Scope
The runtime instructions tell the agent to invoke a local executable path (scripts/minimax) and to read/write files (input images, --output paths). Because the skill includes no script or install, invoking the command would rely on an existing binary in the agent's environment; that gives the agent broad filesystem and network capability depending on what that binary does. The instructions do not themselves solicit unrelated secrets, but they implicitly assume access to API credentials and will read/write arbitrary paths specified by the user.
Install Mechanism
There is no install spec and no code files — lowest install risk. However without an install step the SKILL.md's required CLI is not provided, making the skill non-self-contained. This is potentially sloppy or incomplete design rather than direct maliciousness, but it reduces transparency: users cannot inspect an included script because none is bundled.
Credentials
The SKILL.md documents environment variables (MINIMAX_API_KEY, MINIMAX_API_HOST, and model identifiers). Those variables are reasonable for a media-generation integration, but the package metadata declares no required env vars and no primary credential. The discrepancy between documentation and declared requirements is concerning and should be resolved before trusting secrets to the skill.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and declares no config paths or elevated privileges. Autonomous invocation is allowed (platform default), but that alone is not a red flag here.
What to consider before installing
This skill's README instructs the agent to run a local CLI (scripts/minimax) and to use an API key/host, but the package contains no script, no install instructions, and the registry metadata does not declare the API credential it documents. Before installing or providing secrets: 1) Ask the publisher for the scripts/minimax source or an install package you can inspect. 2) Verify MINIMAX_API_HOST is a legitimate, documented endpoint (avoid personal servers or unknown domains). 3) Do not supply MINIMAX_API_KEY until you can review the client code or a trusted installer. 4) If you must test, run the CLI in a sandboxed environment and inspect network calls (e.g., with an outbound firewall or proxy) and the script's source. 5) Prefer a skill that either bundles its client code or declares its required env vars/primary credential in metadata and provides a verifiable install mechanism. If the publisher cannot provide code or a trusted install, treat this skill as incomplete and avoid giving it secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk977ha5aqhdxn4s7a80aw8ck2x83dbn1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.