MiniMax MCP Call
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to provide the advertised MiniMax search and image tools, but it runs an unpinned external MCP package and gives it a broad environment that may include unrelated secrets.
Review carefully before installing. This skill is not clearly malicious, but you should only use it if you trust the external minimax-coding-plan-mcp package and are comfortable storing a MiniMax API key in ~/.openclaw/.env. Prefer isolating the environment so unrelated API keys are not present when running it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the external MCP package changes or is compromised, it could run local code under the user's environment when the skill is invoked.
At runtime the skill executes an external package that is not included in the manifest and is not version-pinned in the artifacts.
mcpProcess = spawn("uvx", ["minimax-coding-plan-mcp", "-y"], {Pin the package/version, document the package source, use a reviewed local dependency or lockfile, and require clear user approval before first execution.
Other API keys or secrets present in the OpenClaw environment could be made available to code that only needs the MiniMax API key.
The spawned MCP process receives the full process environment, not only the MiniMax variables. The wrapper also loads ~/.openclaw/.env, so unrelated credentials in that file may be exposed to the external MCP server process.
env: { ...process.env, MINIMAX_API_KEY: API_KEY, MINIMAX_API_HOST: API_HOST }Pass only the specific MiniMax variables needed by the MCP server, avoid exporting the entire .env file, and declare the credential requirements in metadata.
Users may underestimate the setup and credential exposure if they rely only on the registry metadata.
The registry metadata says no credential is required, while SKILL.md says the skill requires a MiniMax Coding Plan API key and setup in ~/.openclaw/.env.
Required env vars: none ... Primary credential: none
Update metadata to declare the MiniMax API key, uv, and Node.js requirements.
Search terms, prompts, and image URLs may be sent to MiniMax or processed through the MCP server.
The skill routes search queries and image-understanding requests through an MCP server and MiniMax provider, which is expected for the advertised functionality.
Web search and image understanding via MiniMax Coding Plan MCP.
Avoid submitting private images, confidential URLs, or sensitive search prompts unless this data sharing is acceptable.