Minimax-Multimodal-Toolkit
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent MiniMax CLI guide, but users should notice that it relies on an external npm CLI, a MiniMax API key stored locally, file/provider data flows, and no-confirmation flags.
This skill appears purpose-aligned for using MiniMax from a CLI. Before installing, verify the npm package source/version, protect the MiniMax API key stored under ~/.mmx, avoid using --yes for actions you have not approved, and only send files or prompts you are comfortable sharing with the MiniMax service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI could run or later execute code from the npm package, so the safety of that package matters.
The skill directs installation of a global npm CLI without a pinned version. This is central to the stated purpose, but users rely on an external package that was not included in the reviewed artifacts.
npm install -g mmx-cli
Install from the official MiniMax/mmx source if available, verify the package name and version, and consider pinning a known-good version.
Anyone or anything that can read the stored credential may be able to use the MiniMax account within the key's permissions.
The guide requires or allows a MiniMax API key and states it is stored locally. This is expected for the provider integration, but it grants account/API authority.
mmx auth login --api-key sk-xxxxx ... Auth (persisted to ~/.mmx/credentials.json)
Use a minimally scoped API key if MiniMax supports it, keep ~/.mmx/credentials.json private, and revoke/rotate the key if the device is shared or compromised.
The agent may proceed without an interactive confirmation, which could matter for quota-consuming, billing-related, or resource-changing actions.
The guide recommends using a no-confirmation flag in agent/CI contexts. This is disclosed and may be intended for automation, but it can remove a safety check for account or resource operations.
Always use these flags in non-interactive (agent/CI) contexts: ... `--yes` | Skip confirmation prompts
Use --yes only when the requested action is clearly approved, and require explicit user confirmation for costly, destructive, public, or account-management operations.
Prompts, text files, images, first frames, or webhook destinations chosen for a command may be shared with MiniMax or the specified callback endpoint.
The CLI can send selected local files or URLs to the MiniMax service and can use a callback/webhook URL for video completion. These flows are aligned with media generation, but they cross local/provider boundaries.
`--subject-ref <params>` ... `image=path-or-url`; `--first-frame <path-or-url>`; `--text-file <path>`; `--callback-url <url>`
Only provide files, prompts, and callback URLs that are intended for MiniMax processing, and avoid sending confidential material unless the provider terms and account settings are acceptable.