Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Minimax Mcp
v1.0.3MiniMax MCP 服务器,提供网络搜索和图像理解能力。当用户需要:(1) 网络搜索信息,(2) 分析/描述图片,(3) 从URL提取内容时使用此技能。需配置 MINIMAX_API_KEY(国内版 api.minimaxi.com 或全球版 api.minimax.io)。
⭐ 1· 2.8k·29 current·31 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md declares needing MINIMAX_API_KEY, MINIMAX_API_HOST and the uvx binary, which make sense for an MCP server that calls the MiniMax API. However the top-level registry listing in the package metadata reported 'Required env vars: none' and 'Homepage: none', while SKILL.md includes required env vars and a GitHub link. This mismatch between declared registry requirements and the runtime instructions is an inconsistency that should be resolved.
Instruction Scope
Runtime instructions are narrowly scoped to configuring an MCP server, calling web_search and understand_image, and using local or remote image paths. They do instruct editing a local Claude/Cursor config file (user config path) and using local image files — these are expected for this skill. However the doc also recommends running a remote install script (curl ... | sh) for the 'uv' tool in troubleshooting, which broadens scope and is risky if done blindly.
Install Mechanism
There is no formal install spec in the registry (skill is instruction-only), but SKILL.md metadata suggests installing 'uv' (brew formula) and the troubleshooting text suggests running a remote installer from https://astral.sh/uv/install.sh via curl|sh. Brew is low-risk; piping an internet script to sh is higher-risk. Because the skill itself is only documentation/instructions (no code files), the main install risk comes from following those external install commands.
Credentials
Requesting MINIMAX_API_KEY and MINIMAX_API_HOST is proportionate to the described functionality (calling MiniMax web/image APIs). No other unrelated secrets are requested. Still, the registry summary omitted these env requirements while SKILL.md declares them — the mismatch should be clarified so users know what credentials are needed.
Persistence & Privilege
The skill does not request always:true or any elevated persistent presence. It does not modify other skills or system-wide settings in the instructions. The skill will rely on an external MCP server process (uvx + minimax-coding-plan-mcp) invoked by mcporter, which is normal for this capability.
What to consider before installing
This skill appears to genuinely implement a MiniMax MCP connector, but there are a few red flags to consider before installing:
- Metadata mismatch: the registry summary says no required env vars/homepage but SKILL.md requires MINIMAX_API_KEY, MINIMAX_API_HOST and references a GitHub repo. Confirm the authoritative source (check the GitHub link in SKILL.md) and that the repo and binaries are legitimate.
- Credentials: you must provide your MiniMax API key — only supply a key you control, and ensure the MINIMAX_API_HOST matches the region of the key.
- External installer caution: the docs suggest running curl https://astral.sh/uv/install.sh | sh if uvx is missing. Do not run remote install scripts without inspecting them; prefer installing via a package manager (brew) or reviewing the install script source.
- Local file access: the skill expects local image paths and editing of local app config files (e.g., Claude/Cursor config) — be mindful of what you store or expose in those configs.
If you want higher confidence, ask the skill author for the exact upstream GitHub release and the checksums for the 'minimax-coding-plan-mcp' binary (or inspect that repository yourself) and verify the install script contents before running it.Like a lobster shell, security has layers — review code before you run it.
latestvk97fth61y31f0at5wzdpvpjzh1812kes
License
MIT-0
Free to use, modify, and redistribute. No attribution required.