ClawHub

minimax-tts-send

WarnAudited by ClawScan on May 18, 2026.

Overview

The skill’s text-to-speech purpose is coherent, but it embeds a MiniMax API key in the code and can send generated audio to messaging channels.

Review this skill before installing. The TTS behavior itself matches the description, but the embedded MiniMax API key should be removed and replaced with your own declared credential. Also verify any message recipient before sending generated audio.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI03: Identity and Privilege Abuse
What this means

Users may unknowingly use or expose someone else's MiniMax account key; generated requests, voice access, usage, and costs may be tied to that embedded account.

Why it was flagged

The script embeds a MiniMax API secret directly in source code and uses it for API access, rather than requiring a user-provided, scoped credential.

Skill content
def get_api_key():
    key = "sk-api-Tszh1qpO-..."
    return key
Recommendation

Remove the hardcoded key, revoke or rotate it, require users to provide their own MiniMax API key through a declared environment variable or config file, and document the credential requirement.

Low
#ASI07: Insecure Inter-Agent Communication
What this means

Any text converted to speech may be processed by MiniMax and associated with the API account used by the script.

Why it was flagged

The user-provided text is sent to the MiniMax API. This is expected for a TTS integration, but it means the text leaves the local environment.

Skill content
"text": text,
...
resp = requests.post(url, headers=headers, json=data, timeout=60)
Recommendation

Avoid sending secrets or sensitive text unless you trust the provider and account boundary; prefer using your own configured API key.

Low
#ASI02: Tool Misuse and Exploitation
What this means

If invoked with the wrong channel, target, or media file, generated audio could be sent to an unintended recipient.

Why it was flagged

The documentation shows sending generated audio through messaging channels. This is purpose-aligned and user-directed, but it can post media to external recipients.

Skill content
openclaw message send --channel telegram --target "xxxxxxx" --media /home/eric/.openclaw/workspace/audio/audio.mp3 -m "语音"
Recommendation

Confirm the destination channel, target, and file path before sending any voice message.