ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Search & Vision

v1.0.0

MiniMax 网络搜索和图片理解工具。当用户需要搜索信息或理解图片内容时使用此技能。支持通过 MiniMax Token Plan MCP 进行网络搜索和图片分析。

0· 106·0 current·0 all-time
by@xiaolongliu1988

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xiaolongliu1988/minimax-search-vision.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "MiniMax Search & Vision" (xiaolongliu1988/minimax-search-vision) from ClawHub.
Skill page: https://clawhub.ai/xiaolongliu1988/minimax-search-vision
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install minimax-search-vision

ClawHub CLI

Package manager switcher

npx clawhub@latest install minimax-search-vision
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill advertises MiniMax web search and image understanding, which matches the code. However the registry metadata declares no required environment variables or binaries while the SKILL.md and code clearly require a MINIMAX_API_KEY (env or ~/.openclaw/credentials/minimax_mcp.env) and an external tool (mcporter / mcporter-safe). The metadata omission is an incoherence — a consumer would reasonably expect the primary credential and required binary to be declared.
!
Instruction Scope
SKILL.md and the scripts instruct reading an API key from environment or a credentials file and calling an external MCP runtime via subprocess. The code accepts local file paths for images (and checks file size), reads ~/.openclaw/credentials/minimax_mcp.env, and sets cwd to ~/.mcporter before invoking mcporter-safe. The instructions implicitly allow uploading/processing local files through an external service and do not limit what the external tool may transmit. Also the SKILL.md describes using 'mcporter' while the scripts call 'mcporter-safe' — a tooling-name mismatch that affects runtime behavior.
Install Mechanism
No install spec in registry, but SKILL.md instructs installing mcporter via npm (npm install -g mcporter). The package to run (mcporter-safe) is an external binary/tool the skill relies on; the skill does not download arbitrary code itself. Risk depends on trustworthiness of mcporter/mcporter-safe — users should verify the source and package integrity before installing globally.
!
Credentials
The code requires MINIMAX_API_KEY (and optionally MINIMAX_API_HOST) though the registry declared none. Worse, when launching the external tool the code builds env = { **subprocess.os.environ, 'MINIMAX_API_KEY': api_key, ... }, copying the entire process environment into the child process: this can expose unrelated environment variables (other service tokens, keys) to the external binary. The skill also accepts local file paths for images which may cause local files to be sent to the external MCP service — this is consistent with the feature but is sensitive and should be explicit in metadata and user guidance.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or agent-wide settings. It does not persist itself beyond normal file presence; no elevated platform privileges are requested.
What to consider before installing
This skill appears to implement the advertised search and image-analysis features, but several inconsistencies and risks deserve attention: - The code requires MINIMAX_API_KEY (env or ~/.openclaw/credentials/minimax_mcp.env) but the registry metadata did not declare this; confirm you have and are willing to provide that credential before enabling the skill. - The SKILL.md tells you to install 'mcporter' (npm) but the scripts call 'mcporter-safe' — ask the author to clarify which binary/package is required and where to obtain it. Do not install unknown global npm packages without verifying their origin. - The scripts pass the full process environment into the external mcporter-safe subprocess. That can leak unrelated environment secrets to the external tool; avoid running the skill in environments containing other sensitive tokens unless you audit mcporter/mcporter-safe. - The skill accepts local file paths and will allow the MCP service to process images from your filesystem. Do not analyze local files you consider sensitive unless you trust the remote service and have reviewed the tool's behavior. - Recommendations before installing: (1) request the author update registry metadata to declare MINIMAX_API_KEY and required binaries; (2) verify the official source and integrity of mcporter/mcporter-safe; (3) run the skill in a sandbox or non-sensitive environment first; (4) inspect and set tight permissions on the credentials file (~/.openclaw/credentials/minimax_mcp.env, mode 600); (5) ask for clarification about the mcporter vs mcporter-safe mismatch and whether the subprocess must receive the entire environment. Given these mismatches and the environment-leakage pattern, treat the skill as suspicious until the author corrects metadata and clarifies tooling and env-handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a8d059n1g2affyaj4nj10x183b8va
106downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@xiaolongliu1988
latest
Download

MiniMax Tools 技能

MiniMax Token Plan 提供的网络搜索和图片理解工具封装。

触发条件

当用户请求以下操作时激活:

  • "搜索..."
  • "在网上查找..."
  • "这张图片是什么"
  • "分析这张图片"
  • "解释这个图片"
  • "MiniMax 搜索"
  • "用 MiniMax 搜索"

工具说明

web_search

网络搜索工具,根据查询词返回搜索结果。

参数类型必需说明
querystring搜索查询词

输出格式:

{
  "results": [
    {"title": "标题", "url": "链接", "snippet": "摘要"},
    ...
  ],
  "related_searches": ["相关搜索词1", "相关搜索词2"]
}

understand_image

图片理解工具,对图片进行分析和理解。

参数类型必需说明
promptstring对图片的提问或分析要求
image_urlstring图片地址(HTTP/HTTPS URL 或本地文件路径)

支持格式: JPEG, PNG, GIF, WebP(最大 20MB)

安全规范

必须遵守:

  • API Key 从环境变量或凭据文件读取,绝不硬编码
  • 凭据文件路径:~/.openclaw/credentials/minimax_mcp.env
  • 输出时对 API Key 进行脱敏(如 sk-cp-rOHr...****

禁止:

  • 在代码或输出中明文显示 API Key
  • 将凭据信息写入日志

依赖

此技能依赖 mcporter 工具来调用 MiniMax Token Plan MCP 服务。

mcporter 安装:

npm install -g mcporter

MiniMax MCP 配置:

mcporter config add MiniMax \
    --command uvx \
    --args "minimax-coding-plan-mcp -y" \
    --env MINIMAX_API_KEY=$MINIMAX_API_KEY \
    --env MINIMAX_API_HOST=https://api.minimaxi.com \
    --scope home

错误处理

错误类型说明处理方式
ConnectionErrorMCP 服务离线提示用户检查 mcporter 配置
TimeoutError请求超时建议重试或使用更小的图片
ValueError参数无效提示正确的参数格式

示例

网络搜索:

用户: 搜索 Python 教程
助手: 调用 web_search("Python 教程")
返回搜索结果列表

图片理解:

用户: 分析这张图片 https://example.com/diagram.png
助手: 调用 understand_image("描述这张图片的内容", "https://example.com/diagram.png")
返回图片分析结果

维护日志

  • 2026-03-22 v1.0.0: 初始版本,支持 web_search 和 understand_image

Comments

Loading comments...