Back to skill
Skillv0.1.0
ClawScan security
Openclaw Skill Minimax Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 9:45 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are internally consistent with a local MiniMax usage tracker; it stores data in the user's home directory and does not request credentials or network access.
- Guidance
- This skill appears coherent and low-risk: it only records prompt counts in a JSON file and prints progress bars. Before installing, review/verify the GitHub source (SKILL.md points to a repo) if you don't already trust it. Note that the script writes to ~/.openclaw/workspace/minimax_usage_data.json (check file ownership/permissions). The reset-time logic uses the system local time (the code assumes an UTC+8 reset window but uses naive datetime.now(), which may produce incorrect reset calculations on systems in other timezones) — if correct reset timing is important, review or test that behavior. If you want stronger isolation, run the script in a restricted environment (container or limited-permission user). There are no network calls or credential requests in the packaged code.
Review Dimensions
- Purpose & Capability
- okThe name/description (MiniMax usage tracker) matches the included Python script and SKILL.md. Required capabilities (none) are proportional to the stated purpose — the skill only reads/writes a local JSON file and prints progress bars.
- Instruction Scope
- okSKILL.md instructs the agent to invoke the provided script (via subprocess) and to optionally install/copy the skill into the workspace; it does not direct reading of unrelated system files, collection of secrets, or network exfiltration. Integration examples run the local script, which is expected behavior for this skill.
- Install Mechanism
- okNo install spec is present (instruction-only with an included script). Nothing is downloaded or executed from external URLs; the README suggests cloning a GitHub repo but the packaged files include the script. This is low-risk from an install perspective.
- Credentials
- okThe skill declares no environment variables, no credentials, and no config paths beyond writing to a user-scoped JSON file (~/.openclaw/workspace/minimax_usage_data.json). That storage need is proportional to a usage-tracking utility.
- Persistence & Privilege
- okThe skill is not force-included (always:false) and does not request persistent elevated privileges or modify other skills. It only writes its own JSON file in the user's home workspace.