ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mini-Agent

v1.0.0

Mini-Max AI 编程助手 - 基于 MiniMax M2.5 模型的智能代码开发工具,支持文件操作、命令执行、代码编写等功能。适用于 OpenClaw Agent 系统。

0· 359·0 current·0 all-time
by@l1-m1ng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (programming assistant with file and command execution) aligns with the tools and capabilities described (read/write/edit files, run bash). Requiring a 'mini-agent' binary and offering to install a Node package from GitHub is consistent with delivering that tool. However, documentation repeatedly references an external MiniMax API key and API endpoint (config.yaml / MINIMAX_API_KEY), but the skill metadata does not declare any required env vars or credentials — an inconsistency that should be justified.
!
Instruction Scope
The runtime instructions and examples explicitly instruct reading/writing arbitrary files and executing arbitrary shell commands across user paths (e.g., /home/pi, /var/log), and describe persistent logs that record full requests and tool calls (which can include user inputs and secrets). Those behaviors are within the broad scope of a code-assistant but are high-risk operations; the SKILL.md and docs also reference inspecting other skills ('get_skill'), which can expose other skills' contents. The skill's docs instruct accessing specific config and log paths (~/.mini-agent/ and /home/pi/.openclaw/agents/xiaoma) even though these paths were not declared in the registry metadata.
Install Mechanism
The install spec is a Node package installed with a command that clones from GitHub (git+https://github.com/MiniMax-AI/Mini-Agent.git). GitHub is a common host, but the skill package included no code files to audit locally — the actual runtime code will be pulled from that repository at install time and was not scanned. 'uv tool install' is a non-standard installer command in this context; installing arbitrary code from a remote repo is a moderate risk and should be inspected before running.
!
Credentials
The skill metadata lists no required environment variables or credentials, yet the docs/config explicitly require a MiniMax API key (api_key / MINIMAX_API_KEY) and an api_base. That mismatch is problematic: the skill expects a secret but does not declare it. Additionally, logs described will record requests/responses and tool invocations (potentially capturing secrets). The absence of declared credentials in metadata reduces transparency about what sensitive information the skill will need or might capture.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or global agent settings. It does create and use persistent config and log directories under ~/.mini-agent/, which is normal for a tool of this type but worth auditing because logs may include sensitive request contents.
What to consider before installing
This skill behaves like a powerful local coding assistant (can read/write files and run shell commands) and its docs indicate it uses an external MiniMax API key and keeps detailed logs — but the registry metadata doesn't declare required credentials or config paths. Before installing: (1) review the upstream GitHub repo (https://github.com/MiniMax-AI/Mini-Agent.git) and the npm package contents to confirm what code will run; (2) verify how and where it stores logs/config and whether logs may include secrets; (3) only provide an API key if you trust the MiniMax service and have audited the client code; (4) consider running the package in a sandboxed environment or VM and restrict permissions to the ~/.mini-agent and workspace directories; (5) ask the publisher to update metadata to declare required env vars (MINIMAX_API_KEY/MINIMAX_API_BASE) and config paths so you can make an informed trust decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wxht2y8wkwdz0e5mxn9cw58231n9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmini-agent

Install

安装 Mini-Agent (uv)
Bins: mini-agent
npm i -g mini-agent

Comments