mini-token-remains
PassAudited by VirusTotal on May 8, 2026.
Overview
Type: OpenClaw Skill Name: mini-token-remains Version: 1.0.0 The skill bundle describes a legitimate utility for monitoring MiniMax API token usage. The instructions in SKILL.md direct the agent to retrieve credentials from a local configuration file (auth-profiles.json) and query the official MiniMax API endpoint (minimaxi.com). No malicious instructions, obfuscation, or unauthorized data exfiltration patterns were identified in the provided documentation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may access and use your MiniMax API key to query account quota information, which could be surprising if you expected a no-credential skill.
This tells the agent to read a local auth profile containing a MiniMax API key. That is purpose-aligned for checking account usage, but it is high-impact credential access and the supplied metadata declares no primary credential or required config path.
1. 从 auth-profiles.json 读取当前 minimax key
Only use this if you intend the skill to access your MiniMax auth profile. The skill should declare the required credential/config path, limit access to the MiniMax key only, avoid displaying or storing the key, and ideally ask before reading the auth profile.