mini-token-remains
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated MiniMax usage-checking purpose, but it reads a local MiniMax API key from auth-profiles.json even though no credential or config access is declared.
Before installing, confirm that you want this skill to use your MiniMax API key from auth-profiles.json. It appears read-only and purpose-aligned, but the credential access is under-declared, so prefer a version that explicitly declares the required auth profile and explains how the key is protected.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may access and use your MiniMax API key to query account quota information, which could be surprising if you expected a no-credential skill.
This tells the agent to read a local auth profile containing a MiniMax API key. That is purpose-aligned for checking account usage, but it is high-impact credential access and the supplied metadata declares no primary credential or required config path.
1. 从 auth-profiles.json 读取当前 minimax key
Only use this if you intend the skill to access your MiniMax auth profile. The skill should declare the required credential/config path, limit access to the MiniMax key only, avoid displaying or storing the key, and ideally ask before reading the auth profile.