ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-image

v1.0.0

MiniMax 图片生成技能 - 支持文生图(Text-to-Image)、图生图(Image-to-Image)。支持多种宽高比(1:1/16:9/9:16/4:3/3:4),返回 URL 或 Base64 格式,可下载保存到本地。

0· 80·0 current·0 all-time
by@silingyuan0
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: it implements text→image and image→image using a MiniMax API. Requesting an API key and region is coherent with that purpose, but the registry metadata incorrectly lists no required environment variables or primary credential, which is an inconsistency.
Instruction Scope
SKILL.md and scripts/image.py limit actions to calling the remote /v1/image_generation endpoint, downloading returned URLs, and reading local image files when doing image-to-image. Reading local files and uploading them (base64-embedding) is explicit in the instructions and code.
Install Mechanism
Instruction-only install (no install spec) is low risk. The code imports the third-party 'requests' package but the skill metadata does not declare this dependency — users must ensure 'requests' is available.
!
Credentials
The runtime requires MINIMAX_API_KEY (and optionally MINIMAX_REGION) and will place the key in an Authorization: Bearer header. The registry declared no required env vars/primary credential, which is misleading. Also, local images supplied for editing are base64-encoded and uploaded to the remote API; sensitive images could be exfiltrated to the service.
Persistence & Privilege
No always:true, no special persistence or modifications to other skills or system settings. The skill runs network requests and file writes only within its stated scope.
What to consider before installing
This skill appears to implement the advertised MiniMax image generation features, but the registry metadata is inconsistent: the code and SKILL.md require MINIMAX_API_KEY and MINIMAX_REGION even though the registry lists none. Before installing, verify the MiniMax API host (api.minimaxi.com / minimax.io) is legitimate for your use, provide a dedicated API key (avoid using high-privilege or long-lived secrets), and do not upload sensitive images because the skill will base64-encode and send local files to the remote service. Ensure the Python 'requests' package is installed in the runtime. If you cannot confirm the skill's source or the API endpoints, run it in an isolated environment or container, and consider reaching out to the publisher for corrected metadata (required env vars and dependencies) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97axt33agczheb8q10v32472s83kfva

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments