Back to skill
Skillv1.0.0
ClawScan security
minimax-music · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 25, 2026, 3:00 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description, SKILL.md, and code disagree about how it works and what credentials are required (missing metadata for MINIMAX_API_KEY, synchronous vs asynchronous behavior, and an unexpected query endpoint), so treat it as inconsistent until clarified.
- Guidance
- Do not supply a real MINIMAX_API_KEY to this skill until the inconsistencies are resolved. Specific actions: (1) Ask the publisher to update registry metadata to declare MINIMAX_API_KEY and MINIMAX_REGION. (2) Request clarification/fix: does generate_music return a task ID (async) or an MP3 file (sync)? Fix the /query endpoint (video_generation looks wrong). (3) Inspect/run the Python script in an isolated environment (or sandbox) and ensure the 'requests' dependency is present. (4) If you must test, use a scoped or throwaway API key and run locally in a VM/container so the skill can't access other credentials or sensitive files. (5) Prefer installing only if the author corrects the documentation/metadata so behavior and required credentials match the code.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to use the MiniMax API for music and lyrics generation (expected). However the registry metadata lists no required environment variables while both SKILL.md and the code clearly require MINIMAX_API_KEY (and optionally MINIMAX_REGION). That mismatch between claimed requirements and the actual code is inconsistent.
- Instruction Scope
- concernSKILL.md describes asynchronous generation returning task IDs and async workflows (generate_music -> task ids, query/wait), but the shipped Python implements generate_music as a synchronous POST that decodes audio and returns a local file path. The query_music_task implementation calls /query/video_generation (a video endpoint) which doesn't match the music endpoints described. These contradictions mean the runtime instructions and implementation do not align.
- Install Mechanism
- noteThere is no install spec (instruction-only style plus a Python script), which is low risk. The script imports the third-party 'requests' library but the skill metadata does not declare dependencies—users must ensure requests is available in their environment.
- Credentials
- concernThe code requires MINIMAX_API_KEY (and optionally MINIMAX_REGION), which is proportionate to the stated purpose. However the registry metadata failed to declare these required environment variables; that omission is a meaningful inconsistency and a usability/security concern (users might not realize they must provide an API key).
- Persistence & Privilege
- okNo elevated persistence requested: always is false, the skill doesn't request system-wide config changes, and it only reads/writes local files for downloaded audio (expected for this functionality).