ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax MCP Call

v1.0.0

MiniMax MCP tools - Web search and image understanding via MiniMax Coding Plan. Use when user needs web search, current information, or image analysis. Requi...

1· 668·5 current·5 all-time
by@russellfei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims web search and image understanding and includes a client that calls tools named web_search and understand_image via a local MCP process. Required items (MINIMAX_API_KEY, optional MINIMAX_API_HOST, Node.js, and the 'uv' runtime/uvx binary) line up with that purpose.
Instruction Scope
SKILL.md and the wrapper script limit actions to installing 'uv', storing/loading MINIMAX_API_KEY in ~/.openclaw/.env, and launching the provided Node.js client. The scripts only read the declared ~/.openclaw/.env and do not attempt to read unrelated system paths or other credentials.
!
Install Mechanism
There is no formal install spec in the manifest; SKILL.md instructs users to run a remote install (curl | sh) from https://astral.sh/uv/install.sh to install 'uv'. Running arbitrary remote install scripts is higher risk — verify the source and script contents before executing.
Credentials
Only MINIMAX_API_KEY and MINIMAX_API_HOST are used; these are required and used by the client and forwarded to the spawned 'uvx' process. The quantity and naming of env vars are proportional to the stated functionality.
Persistence & Privilege
The skill is not automatically always-enabled and does not request persistent platform privileges. It writes/reads credentials to a user-scoped file (~/.openclaw/.env) which is expected for storing an API key; it does not modify other skills or system-wide settings.
Assessment
This skill appears to do what it says: it launches a local MCP process (uvx) and forwards your MINIMAX_API_KEY so the MCP can perform web searches and image analysis. Before installing: - Review the remote installer it asks you to run (https://astral.sh/uv/install.sh). Don't run curl | sh unless you trust the source; inspect the script first or install 'uv' from a trusted package channel. - Be aware the skill stores your API key in ~/.openclaw/.env and exports it to the spawned uvx process. If the 'uvx' binary or the MCP server is compromised, your key could be exposed — prefer a scoped/revokable key. - Confirm the MINIMAX_API_HOST value (default https://api.minimaxi.com) is correct for the service you expect. - If you want extra safety, run this skill inside a sandboxed environment or container, or create a dedicated API key with limited permissions and rotate it if needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ca7yvthesygwzsjb61zfhtd820k7f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments