Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Minimax Token
v2.2.1检查 MiniMax API Token 剩余配额。支持定时检查并通过 Telegram 发送通知。适用于:查询 Token 余额、配置定时监控、设置余额不足提醒。
⭐ 1· 291·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description and SKILL.md both claim the skill queries MiniMax API quotas, supports scheduling and Telegram notifications — that purpose is plausible and the listed dependencies (python3, requests, curl) are proportional. However the package contains no executable/script (minimax_token.py) or service file even though SKILL.md instructs running them. The skill cannot function as described without those missing files.
Instruction Scope
Runtime instructions are narrowly scoped to calling the MiniMax API and optionally sending Telegram messages, installing requests, and setting up a user systemd service. They do not ask for unrelated system data. But the instructions assume running a local Python script and using environment variables that are not declared in the registry metadata — a mismatch that permits unexpected behavior if the missing code were supplied later.
Install Mechanism
There is no install spec (instruction-only), which is lower risk. SKILL.md recommends pip3 install requests and standard system utilities; nothing instructs downloading arbitrary archives or executing code from an untrusted URL. The main risk is the missing script — the instructions expect you to add/run files not included.
Credentials
SKILL.md requires MINIMAX_API_KEY (mandatory) and optionally TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENCLAW_LOG_DIR. The registry metadata, however, lists no required environment variables or primary credential. That discrepancy is significant: the skill needs a secret (MiniMax API key) to operate but the skill metadata does not declare it, preventing policy/permission reviewers from noticing required secrets.
Persistence & Privilege
The skill does not request always: true and defaults allow user invocation and autonomous invocation (normal). The instructions include setting up a user-level systemd service — this creates a persistent user job that will run with whatever environment the user configures (including the API key). That's expected for a monitoring tool but the user should review the actual service file (not provided) before enabling it.
What to consider before installing
Do not install or run this skill yet. The SKILL.md expects you to run minimax_token.py and to install a systemd service, but the published bundle contains no script or service file and the registry metadata does not declare the required MINIMAX_API_KEY. Ask the publisher for the missing source files and the exact service unit; verify the service unit and Python script content before running. Confirm the MiniMax API endpoints used are legitimate, and if you test it, run in an isolated account or container and use a limited-scope API key (rotate it afterward). If you plan to enable the systemd service, inspect its environment handling to ensure secrets aren't written to world-readable files and that the job runs only under your user account.Like a lobster shell, security has layers — review code before you run it.
latestvk97bvwkzf3j3m6p6wdchgmpcv182rmk7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.