ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Music Generation

v1.0.0

Generate AI music using MiniMax Music 2.5 API. Use when the user wants to: (1) generate instrumental/pure music, (2) generate songs with lyrics, (3) generate...

1· 63·0 current·0 all-time
by@rexdong1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, CLI, and Python code all consistently implement music generation via a MiniMax Music API — that part is coherent. However the registry metadata declares no required environment variables while both SKILL.md and the script require MINIMAX_API_KEY (or --api-key). This manifest mismatch reduces trust and is an inconsistency that should be corrected.
!
Instruction Scope
SKILL.md and the CLI focus on generating and downloading audio, which is in-scope. But SKILL.md includes a Feishu upload/send example that would transmit the generated audio to an external service using TENANT_ACCESS_TOKEN and USER_OPEN_ID — these credentials are neither declared in the manifest nor present in the code. The presence of that snippet means audio could be sent to an external endpoint if the operator provides those tokens; the skill does not clearly document or request those tokens in its metadata.
Install Mechanism
No install spec — instruction-only skill with one Python script. It depends on the widely used 'requests' library (the script prints a pip install hint). This is a low-install-risk setup (no untrusted downloads or extracted archives).
!
Credentials
The only credential the code requires is MINIMAX_API_KEY (appropriate for calling the MiniMax API), which is proportionate to the stated purpose. But the manifest lists no required env vars (contradiction). Additionally, SKILL.md shows a Feishu example that would require TENANT_ACCESS_TOKEN and USER_OPEN_ID (not declared). The omission of those env var requirements in the metadata and the undocumented external upload path are disproportionate to what's advertised.
Persistence & Privilege
No elevated privileges requested. always is false and the skill does not modify other skills or global agent configuration. It writes generated audio to user-specified directories (expected behavior).
What to consider before installing
Key points before installing: (1) Demand that the skill manifest be corrected to declare MINIMAX_API_KEY as a required env var (and any other tokens it needs). (2) Verify the MiniMax API domain (https://api.minimaxi.com) and confirm you trust that service and its privacy/retention policies before providing an API key. (3) Be cautious about the Feishu upload snippet — it would transmit generated audio to an external account if you provide TENANT_ACCESS_TOKEN/USER_OPEN_ID; those tokens are not declared in the skill metadata, so only provide them if you explicitly intend uploads to Feishu. (4) If you need stronger assurance, request the skill author publish a homepage or source repo, or run the script in a sandboxed environment and review runtime network traffic. (5) If you don't trust the unknown owner or service, avoid supplying credentials and use an isolated test account or local-only mode (no Feishu upload) instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xccmm40tqtyp2vghxf487d84cwwd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments