MiniMax Media Generator
WarnAudited by ClawScan on May 10, 2026.
Overview
The MiniMax media features are purpose-aligned, but the package includes a runnable helper script with a hardcoded MiniMax API key despite claiming credentials are user-provided and not hardcoded.
Do not run this package as-is unless the hardcoded API key is removed and revoked. If you still want to use it, run only the reviewed scripts that read your own MiniMax key from OpenClaw config, protect that config file, and expect real MiniMax API usage to consume quota.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users could unknowingly use or expose a non-user MiniMax credential, and the leaked key may allow unauthorized account use or quota/billing impact for the key owner.
The shipped helper script contains a hardcoded MiniMax API key instead of only using the user's configured credential. If run, requests would use that embedded account credential.
API_KEY="sk-cp-..."
Remove the hardcoded key, rotate/revoke the exposed credential, and make every script read only from the user's explicit OpenClaw config or environment variable.
A user may trust the package's credential handling more than warranted and run code that contains an embedded secret.
The manifest claims there is no hardcoding, but the included generate.sh file hardcodes an API key. This mismatch can mislead users about credential safety.
"description": "MiniMax 媒体生成插件 - 图片/视频/TTS/音乐(无硬编码)"
Update the manifest and documentation to match the code, and do not publish code containing secrets.
Your MiniMax API key will be saved in local OpenClaw configuration and reused by the skill.
The installer prompts for a MiniMax API key and writes it into ~/.openclaw/openclaw.json. This is purpose-aligned, but it is persistent credential storage.
read -p "请输入您的 MiniMax API Key: " API_KEY ... "apiKey": "$API_KEY"
Use a least-privilege/revocable MiniMax key, protect the OpenClaw config file, and rotate the key if the machine or package is not trusted.
Running the test command may create generation jobs and spend MiniMax credits or quota.
The test command makes real API calls to multiple media-generation endpoints using the configured key. This is aligned with testing the plugin but may consume provider quota.
test_all() ... POST "$BASE_URL/v1/image_generation" ... POST "$BASE_URL/v1/video_generation" ... POST "$BASE_URL/v1/music_generation"
Run tests only intentionally, and consider adding an explicit warning or dry-run option before generating media.