Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax Search & VLM
v1.0.0使用 MiniMax Coding Plan API 进行网络搜索和图片理解。使用场景:(1) 用户需要搜索实时信息或新闻,(2) 需要分析图片内容,(3) 做研究或查找资料。无需 API key:用户需自行配置。
⭐ 0· 461·0 current·0 all-time
by@l1-m1ng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (web search + image understanding) matches the runtime instructions (curl calls to search and VLM endpoints). However the registry metadata lists no required environment variables or primary credential while the SKILL.md clearly instructs the user to create and source a MINIMAX_API_KEY file (~/.openclaw/config/minimax-api.env). That omission is an inconsistency.
Instruction Scope
SKILL.md explicitly instructs the agent (user) to read a local config file for MINIMAX_API_KEY, to base64-encode local images and send them to the remote API, and to download remote images into /tmp. Those actions are consistent with the skill's stated function, but they do involve reading local files (images and a file containing a secret) and transmitting their contents to an external service — which is expected for this feature but should be understood by the user.
Install Mechanism
Instruction-only skill (no install spec, no code files). Required binary is curl, which is reasonable for the provided curl examples. No archive downloads or third-party installers were found.
Credentials
The SKILL.md requires a MINIMAX_API_KEY stored in ~/.openclaw/config/minimax-api.env and instructs sourcing it before requests, but the registry metadata declares no required env vars or primary credential. This mismatch means the skill will need a secret not advertised at install time. Additionally, there's no homepage or verified source to confirm where that API key should be obtained or to audit the service.
Persistence & Privilege
always is false and the skill is user-invocable and may be called autonomously (platform default). The skill does not request to modify other skills or system-wide settings. Autonomy combined with the network calls is normal for this kind of integration but increases the impact if the external service or key is untrusted.
What to consider before installing
This skill appears to perform the search and image-analysis tasks it describes, but pay attention before installing: (1) the SKILL.md requires you to create and source a MINIMAX_API_KEY file (~/.openclaw/config/minimax-api.env), yet the registry entry does not declare that credential — confirm you are comfortable providing an API key. (2) There is no homepage or known source for the skill or the MiniMax service in the metadata; verify the api.minimaxi.com domain and the developer/platform before sharing keys or uploading sensitive images. (3) If you proceed, use a dedicated, limited-scope API key (not a reused account key), avoid sending highly sensitive images, and monitor usage. If the publisher updates the registry to explicitly declare MINIMAX_API_KEY and provides verifiable source/homepage or documentation, that would reduce my concern; absence of provenance keeps this in the 'suspicious' bucket.Like a lobster shell, security has layers — review code before you run it.
latestvk97439arkac9z23j3xjk52m9zn822a0v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔍 Clawdis
Binscurl