Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax 媒体生成 Unified MiniMax media generation skill for audio, image, and video creation with a single command entrypoint.MiniMax Skill 是一个统一的媒体生成技能，把文本转语音、文生图、文生视频三类能力收口为一个入口。安装后只需配置自己的 MINIMAX_API_KEY，即可通过统一命令生成音频、图片和视频，适合在 OpenClaw / Codex 类环境中直接调用。

v1.0.0

Unified MiniMax media generation skill for Token Plan workflows. Use when the user asks to generate audio, speech, TTS, narration, images, illustrations, pos...

⭐ 0· 0·0 current·0 all-time

by@nmww

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code and SKILL.md align with the stated purpose: each script calls MiniMax HTTP endpoints to produce audio, images, or video. Requiring an API key (MINIMAX_API_KEY) is expected for a hosted API. However the registry metadata lists no required environment variables or dependencies while the skill and docs clearly require MINIMAX_API_KEY and the Python 'requests' package — this metadata mismatch is an incoherence.

✓

Instruction Scope

Runtime instructions are narrowly scoped to generating media via the MiniMax API and saving outputs to disk. The scripts only read MINIMAX_API_KEY and the command arguments; they do not attempt to read other system files, credentials, or unexpected paths. The README's guidance to put outputs in /tmp and not to hardcode keys is appropriate.

✓

Install Mechanism

This is an instruction-plus-scripts skill with no install spec; nothing is automatically downloaded or written to disk during install. The packaged Python scripts are visible and straightforward. The only missing piece is that the skill expects the 'requests' package and Python 3 but does not declare these in the registry metadata.

Credentials

The code legitimately requires one credential: MINIMAX_API_KEY. That is proportionate to the stated purpose. The concern is that registry metadata omitted this requirement and also omitted declaring the 'requests' dependency, which is an inconsistency the user should notice. Additionally, the setup instructions recommend persisting the key in shell startup files; users should be cautioned about secret storage practices.

✓

Persistence & Privilege

The skill does not request elevated privileges or permanent platform presence (always:false). It does not modify other skills or global agent configuration. It simply uses the provided API key at runtime.

What to consider before installing

This skill appears to implement a simple MiniMax API client (audio/image/video) and the code is readable, but there are a few things to check before installing: - Metadata mismatch: the registry entry claims no required env vars or dependencies, but SKILL.md and the scripts require MINIMAX_API_KEY and Python's 'requests'. Treat that as a red flag and confirm with the publisher. - Verify the API host (api.minimaxi.com) is the official service you expect. Because the scripts send your API key to that host, ensure you trust the provider. - Avoid putting sensitive API keys in globally persistent shell startup files unless you understand the security implications; prefer a secrets manager or per-session export when possible. - Ensure your environment has Python 3 and the 'requests' package installed before running. These inconsistencies look like sloppy metadata/packaging rather than clearly malicious behavior, but confirm the API endpoint and the publisher before providing real credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b0sz85ncas5z564g0rk7tcs84jdna

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

License

Comments