ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Coding Plan

v0.1.1

MiniMax Coding Plan native web search and image understanding for OpenClaw. Use when the user specifically wants MiniMax-native search or image analysis, or...

0· 946·3 current·3 all-time
by@yjli-new

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yjli-new/minimax-coding-plan.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "MiniMax Coding Plan" (yjli-new/minimax-coding-plan) from ClawHub.
Skill page: https://clawhub.ai/yjli-new/minimax-coding-plan
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yjli-new/minimax-coding-plan

ClawHub CLI

Package manager switcher

npx clawhub@latest install minimax-coding-plan
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements web_search and understand_image endpoints against a MiniMax API host, matching the skill's stated purpose. It also attempts to obtain a MiniMax API key from MINIMAX_API_KEY or from OpenClaw auth profile files, which is reasonable for an API client. However the skill metadata declared no required environment variables even though MINIMAX_API_KEY is used at runtime.
!
Instruction Scope
Runtime behavior is mostly within scope (sending queries and image data to the MiniMax API). Concerns: the code will read multiple candidate auth-profiles.json files from OpenClaw agent dirs (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, and /home/admin/.openclaw). While it only extracts specific fields for a minimax profile, scanning those locations can expose other sensitive agent configuration files and tokens to the skill's logic. The script also fetches remote image URLs (downloading arbitrary user-supplied URLs) and base64-uploads image content to the external API — expected for image understanding but important to be aware of.
Install Mechanism
No install spec; the skill is instruction/code-only and runs the included Python script. Nothing is downloaded at install time and no additional packages or network installers are invoked.
!
Credentials
Registry metadata claims no required env vars, but the runtime uses MINIMAX_API_KEY and several OpenClaw environment variables (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME) to find auth profiles. Requesting access to agent auth profiles (which may contain other credentials) is broader than the skill metadata indicates and should have been declared and justified.
Persistence & Privilege
The skill does not request always:true, does not write to system-wide configs, and does not persist new credentials. It runs on demand and does not change other skills' configurations.
What to consider before installing
This skill appears to perform MiniMax web search and image analysis by calling an external API (DEFAULT_HOST https://api.minimaxi.com). Before installing: - Be aware the script will upload image contents (base64) and your queries to that external host. - The code will look for an API key in MINIMAX_API_KEY or by reading OpenClaw auth-profiles.json files from several locations (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, /home/admin/.openclaw). Confirm you are comfortable with the skill reading those files (they can contain other secrets). - The skill's registry metadata does not declare MINIMAX_API_KEY or the auth-profile access; that mismatch is a red flag. Ask the author to document required env vars and why those paths are searched. - Because no homepage or publisher information is provided and the API host is external, verify the trustworthiness of the MiniMax API endpoint before sending sensitive images or data. - If you decide to use it: supply MINIMAX_API_KEY explicitly in a controlled environment, or ensure auth-profiles.json files do not contain unrelated secrets; consider network monitoring or running in a sandbox if you need to audit what is sent. I have moderate confidence in this assessment; providing the skill's author or a canonical homepage, or confirming the API host is legitimate and the exact format of auth-profiles.json, would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🧠 Clawdis
latestvk971h6aacagk8xt7pa961fzkah82fyc4
946downloads
0stars
2versions
Updated 4h ago
v0.1.1
MIT-0
@yjli-new
latest
Download

MiniMax Coding Plan

Use the local wrapper:

bash {baseDir}/scripts/minimax-plan.sh <tool> [args...]

Available tools:

  • web_search --query "..."
  • understand_image --prompt "..." --image-source /path/to/file-or-url

Recommended routing:

  • Use this skill when the user explicitly wants MiniMax-native search or MiniMax-native image understanding.
  • For ordinary web research, tavily-search is still the general-purpose default.
  • If the main minimax-portal text model path is not exposed as a reliable image route in the current OpenClaw setup, use understand_image.

Examples:

bash {baseDir}/scripts/minimax-plan.sh web_search --query "MiniMax M2.5 release note"
bash {baseDir}/scripts/minimax-plan.sh understand_image --prompt "Describe the UI in this screenshot" --image-source /tmp/screen.png
bash {baseDir}/scripts/minimax-plan.sh understand_image --prompt "Extract the visible text" --image-source https://example.com/image.png

Notes:

  • This wrapper first uses MINIMAX_API_KEY when present. Otherwise it looks for an existing minimax-portal OAuth profile in OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, or ~/.openclaw.
  • Output is JSON. For image analysis, read content first. If base_resp.status_code != 0, explain the MiniMax API error plainly.
  • Supported image formats: JPEG, PNG, WebP.

Comments

Loading comments...