ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Token Plan Usage Monitor

v1.2.0

MiniMax Token Plan 用量监控 — 自动查询本周/5小时窗口用量、套餐余量、剩余调用次数及重置时间。支持 QQ/Discord/Telegram 多通道通知,可配置告警阈值。触发词:minimax额度查询、token plan用量、本周用量、剩余次数、订阅状态、minimax coding pla...

0· 39·0 current·0 all-time
by@bbzhi177
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim a simple MiniMax usage monitor, which aligns with the scraping code, but the skill metadata declares no required env vars while SKILL.md asks for MINIMAX_PHONE and MINIMAX_PASSWORD. Worse, several scripts (check_and_notify.js, mouse_simulation.js, stealth_test.js) hardcode a phone number and password directly in source — inconsistent with promised configuration and surprising for a third-party skill.
!
Instruction Scope
SKILL.md instructs only running the scraper and storing credentials in ~/.env, but the included scripts do more: they perform browser automation (Playwright/puppeteer), try to send local notifications by POSTing to localhost:37701, and cron_send.js posts to /v1/chat/completions with an x-openclaw-session-key. The SKILL.md does not disclose use of local OpenClaw API endpoints, nor the hardcoded session/auth tokens present in code — this expands scope beyond 'scrape and print' to interacting with local agent/gateway services.
Install Mechanism
There is no install spec (instruction-only) which is lower-risk, but a full package.json and package-lock.json are bundled, declaring heavy dependencies (playwright, puppeteer, stealth plugins). The scripts also reference a hardcoded Chromium executablePath in a user-specific cache. Installing these dependencies will pull many packages; the lack of an install step in SKILL.md is a mismatch and requires manual npm install and browser setup by the user.
!
Credentials
SKILL.md asks for MINIMAX_PHONE and MINIMAX_PASSWORD in ~/.env, which is reasonable. However, code contains multiple hardcoded sensitive values: an account phone/password pair ('15605428773' / 'sym,1998') embedded in check_and_notify.js, mouse_simulation.js, stealth_test.js; a userId ('9BB108CD...') and a bearer token ('8d9c37620f26f...') used to call localhost:37701; and a bb session key in cron_send.js. These hardcoded credentials are unnecessary for the stated purpose (they should be read from config or left to the user) and create a high-risk credential/privilege mismatch.
Persistence & Privilege
always:false (no forced persistence), which is appropriate. However, the skill is written to interact with local OpenClaw endpoints (localhost:37701) using hardcoded auth/session keys; if those tokens are valid on the host, the skill can trigger messages and BB sessions — giving it the ability to send messages or trigger local agent actions. This combination (local gateway access + hardcoded token) elevates risk even without always:true.
What to consider before installing
What to consider before installing: - Do NOT assume the hardcoded values are harmless. The code includes an actual phone/password pair and a bearer token/session key that call localhost:37701. If those tokens are valid on your host, the skill can send messages and trigger local sessions without your further consent. - The SKILL.md claims credentials come from ~/.env but several scripts ignore that and use embedded credentials — this mismatch is suspicious. Ask the author to remove any hardcoded secrets and to make the script read only from explicit, documented config. - The skill uses Playwright/puppeteer with stealth plugins and a hardcoded Chromium path; installing it will pull large npm deps and require a browser — run in an isolated environment or container if you test it. - If you need this functionality: (1) request the author remove embedded credentials and tokens, (2) replace them with documented env vars only, (3) verify there are no hardcoded Authorization/Bearer values, and (4) run the code in a sandboxed user account with no access to production OpenClaw tokens. Rotate any local gateway tokens if you suspect they were leaked. - If you do not trust the source, avoid installing. The combination of hardcoded creds + local gateway calls is a real risk even though the scraping functionality itself is plausible. Confidence notes: assessment is based on the shipped source; I rated this 'suspicious' (not 'malicious') because the primary functionality (browser scraping) is coherent with the description — but the hardcoded credentials and local gateway tokens are unexplained and disproportionate, which warrants caution. Additional information that would raise confidence: author identity, explanation for embedded tokens, or a cleaned code release with all secrets removed and clear runtime env usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792rb0x94n4tqtnfrqpddbgn846cnv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MiniMax Token Plan 用量监控 📊

监控 MiniMax Token Plan 订阅套餐的实时用量,支持多通道通知和告警阈值配置。

功能特性

  • 🔄 自动查询:5小时窗口 + 本周用量同时监控
  • 🔔 多通道通知:支持 QQ / Discord / Telegram 推送
  • ⚙️ 告警阈值:可配置用量百分比告警
  • 定时巡检:通过 cronjob 实现每日定时检查
  • 🇨🇳 国内适配:针对国内版 MiniMax 平台优化

环境配置

~/.env 中配置以下变量:

# MiniMax 账号(手机号 + 密码)
MINIMAX_PHONE=15605428773
MINIMAX_PASSWORD=your_password_here

# 通知配置(可选,留空则只输出日志)
QQBOT_PORT=37701
# QQ/Discord/Telegram 通知通过 OpenClaw 消息通道发送

快速使用

手动查询

cd ~/.openclaw/workspace/skills/minimax-token-plan/scripts
node get_token_plan_usage.js

依赖 ~/.env 中的账号信息运行

输出示例

📊 MiniMax Token Plan 用量报告

⏰ 2026/4/4 22:00:21

🏷️ 套餐: Starter

📌 5小时窗口: 4 / 600 (1%)

📌 本周: 1398 / 6000 (23%)

🔄 25 小时 59 分钟后重置

JSON 原始输出

{
  "success": true,
  "data": {
    "url": "https://platform.minimaxi.com/user-center/payment/token-plan",
    "plan": "Starter",
    "fiveHour": { "used": 4, "limit": 600, "usedPercent": 1 },
    "week": { "used": 1398, "limit": 6000, "usedPercent": 23 },
    "resetTime": "25 小时 59 分钟后重置"
  }
}

定时任务配置(cron)

推荐监控时间点:每天 10/12/14/16/18/20/22 点

# 在 OpenClaw 配置中设置 cron
0 10,12,14,16,18,20,22 * * * /usr/bin/node /root/.openclaw/workspace/skills/minimax-token-plan/scripts/get_token_plan_usage.js >> /root/.openclaw/workspace/skills/minimax-token-plan/cron.log 2>&1

告警阈值配置

scripts/config.json 中修改:

{
  "alertThreshold": {
    "fiveHourPercent": 80,
    "weekPercent": 80
  }
}

当用量超过阈值时,会在通知中突出显示 ⚠️ 警告。

限速说明

窗口套餐说明
5小时600次Starter 套餐限制
本周6000次自然周统计,重置时间见输出

1次 API 调用 ≈ 1次模型请求

依赖

  • Node.js + Playwright
  • Chromium 浏览器(自动安装)
  • .env 配置文件(账号凭证)

故障排查

问题解决方案
登录失败检查手机号 + 密码是否正确
页面解析失败MiniMax 可能更新了页面结构,需更新正则
滑动验证码当前版本暂不支持,可尝试增加运行间隔
通知发送失败检查 QQBot 端口配置(默认 37701)

💡 需要在 OpenClaw 中配置 MiniMax 账号的 cookie/token 才能实现免登录,具体咨询 MiniMax 官方文档。

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…