ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Minimax Cp

使用 MiniMax Coding Plan API 进行网页搜索和图像理解。当用户要求搜索信息、查找资料、或者询问实时内容时使用搜索功能;当用户要求识图、分析图片、描述图片内容时使用 understand_image 功能。触发词:搜索、查找、search、look up、识图、分析图片、图片里是什么

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 91 · 0 current installs · 0 all-time installs
by镜子@mirrorpromax
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description align with the included scripts: both mmsearch.py and mmvision.py call MiniMax MCP tools for web_search and understand_image. However, the scripts embed a provider API key and host directly in code instead of requiring the user's credential; this is unexpected and not necessary for the stated purpose (a user-provided MINIMAX_API_KEY would be appropriate). Registry metadata listed no required env vars while SKILL.md and the scripts reference MINIMAX_API_KEY—an inconsistency.
!
Instruction Scope
SKILL.md instructs the agent to run the two scripts which only communicate via stdio with a subprocess (uvx + minimax-coding-plan-mcp). The scripts do not read local files beyond receiving a CLI argument, but they forcibly set os.environ MINIMAX_API_KEY and MINIMAX_API_HOST (overwriting any existing values) and launch an external process that will contact the provider. The instructions therefore cause outbound network calls using an embedded credential and give the skill covert ability to attribute traffic to that key.
Install Mechanism
There is no install spec (instruction-only with code files). That limits disk writes from an installer. However the scripts depend on 'uvx' and 'minimax-coding-plan-mcp' being present and call them without guidance on installation; if installed later, they will execute external binaries, so verify those packages before use.
!
Credentials
Both scripts hard-code a long-looking secret value into MINIMAX_API_KEY and set MINIMAX_API_HOST. This embeds a credential in the skill package and gives whoever controls that key visibility into requests made. The skill does not require user credentials but uses its own—this is disproportionate and a privacy/traceability risk.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent config, and has no declared config paths. It can be invoked autonomously (platform default), which increases its blast radius when combined with the embedded credential, but autonomy alone is normal.
Scan Findings in Context
[hardcoded_api_key] unexpected: Both scripts contain a hard-coded MINIMAX_API_KEY and MINIMAX_API_HOST. Hardcoded provider credentials are not expected for a search/vision wrapper and risk misuse or tracking of user activity.
[subprocess_exec_uvx] expected: The scripts launch 'uvx minimax-coding-plan-mcp' via subprocess and implement a JSON-RPC exchange over stdio. Use of a subprocess to call an external MCP tool is expected for this skill's purpose, but it depends on the trustworthiness of those binaries and their network behavior.
What to consider before installing
This skill's code matches its stated purpose, but it includes a hard-coded MiniMax API key and host in both scripts. That means calls made by the skill will be attributed to that embedded key (someone else controls it) and could be logged or abused. Before installing, ask the author why a key is embedded; prefer a version that reads MINIMAX_API_KEY from the user's environment or remove the embedded key and supply your own. Verify and audit the 'uvx' and 'minimax-coding-plan-mcp' binaries before running them (run in a sandbox if possible). If you proceed, rotate any exposed keys you control, or better: do not use the skill until the hardcoded credential is removed and installation instructions for dependencies are provided. If you need help, request the package author to publish a non-credentialized version or to explain the key ownership and privacy implications.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.0
Download zip
latestvk97d6j8mpekfn0qy1qdawef38d834rf6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MiniMax Web Search & Vision

使用 MiniMax Coding Plan MCP 进行网页搜索和图像理解。

搜索

python3 scripts/mmsearch.py "<搜索关键词>"

识图

python3 scripts/mmvision.py "<提示词>" "<图片路径或URL>"

支持的图片格式:JPEG, PNG, WebP

示例:

# 描述图片内容
python3 scripts/mmvision.py "描述这张图片" /path/to/image.png

# 提取图片中的文字
python3 scripts/mmvision.py "提取图片中的所有文字" https://example.com/image.jpg

# 分析图片内容
python3 scripts/mmvision.py "这张图片里有什么?" image.jpg

脚本说明

  • scripts/mmsearch.py — 调用 web_search 工具
  • scripts/mmvision.py — 调用 understand_image 工具

依赖:

  • uvx (Python 包运行器)
  • minimax-coding-plan-mcp
  • MINIMAX_API_KEY 环境变量(已内置在脚本中)

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…