ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Lyrics Generation

v1.0.0

Generate structured song lyrics in various styles and themes using the MiniMax lyrics_generation API for full song creation or editing.

0· 66·0 current·0 all-time
byxRay@raydoomed
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Functionality matches the name/description: the Python script posts prompts to a MiniMax lyrics_generation endpoint and returns structured lyrics. No unrelated binaries or services are requested. However, the skill's metadata declares no required credentials or config paths while both SKILL.md and the script require a local config file containing an API key — this metadata omission is inconsistent.
!
Instruction Scope
SKILL.md instructs the user to create ~/.openclaw/workspace/skills/minimax-lyrics/lyrics_config.json containing an api_key; the included script reads exactly that path. The instructions cause user-provided prompts/lyrics and the API key to be transmitted to https://api.minimaxi.com. The skill does not request or read other system files, but it does not warn users about sensitive data being sent nor about securing the plaintext API key file.
Install Mechanism
No install spec is provided and the skill is instruction-only with a small helper script; nothing is downloaded or extracted. This is the lowest-risk install mechanism.
!
Credentials
The registry metadata lists no required environment variables or config paths, yet the runtime requires a credentials file (lyrics_config.json) containing an API key. The API key is stored/loaded in plaintext from the user's home path, and there is no guidance about file permissions or key scope. The missing declaration of this credential in the metadata is a proportionality/information gap.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not demand persistent elevated privileges. It runs on demand and performs a single network call.
What to consider before installing
This skill appears to do what it claims (call a lyrics-generation API) but there are a few things to consider before installing: - Metadata mismatch: the registry declares no credentials or config paths, but the SKILL.md and script require a local file (~/.openclaw/workspace/skills/minimax-lyrics/lyrics_config.json) containing your MiniMax API key. Ask the author to declare this in the registry (requires.env or required config path). - Data exposure: prompts, existing lyrics, and your API key will be sent to https://api.minimaxi.com. Only proceed if you trust that domain and the skill author. There is no homepage or source provenance provided — that increases risk. - Credential handling: the API key is stored in plaintext in a file under your home directory. If you use this, restrict file permissions (chmod 600) and consider using a secret manager or environment variable instead. Verify the API key scope and rotate it if you stop using the skill. - Privacy: avoid sending sensitive or private content (passwords, PII) as prompts; the external service will receive whatever you send. If you need higher assurance, request the author's source/homepage, ask them to update the registry metadata to declare the required config path/credential, and verify the API domain and its privacy/security practices before using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9793e0sdgrp5169wktgpwnvhd84nk1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments