ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-tools

v1.0.0

使用 MiniMax MCP 进行图像理解和网络搜索。触发条件:(1) 用户要求分析图片、理解图像 (2) 用户要求进行网络搜索、在线搜索 (3) 需要查询最新资讯、新闻、资料

0· 157·2 current·2 all-time
byJiwei Wang@oujakivi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description (image understanding + web search) matches the included scripts. However the registry/metadata claims no required env vars or binaries, while both SKILL.md and the scripts require an API key (MINIMAX_API_KEY or ~/.openclaw/config/minimax.json) and the 'uvx' binary (minimax-coding-plan-mcp) to operate. That mismatch between declared requirements and actual needs is incoherent.
!
Instruction Scope
SKILL.md instructs installing 'uv' via a curl | sh script and installing 'minimax-coding-plan-mcp' with uvx, then placing API keys in a local config file or env var. The runtime scripts read only the declared config/env and call an external MCP process; they don't access unrelated system files. The main scope concern is that instructions direct the user to run a remote installer and to hand an API key to an external binary, which expands the trust surface beyond the skill itself.
!
Install Mechanism
There is no formal install spec in the registry, but SKILL.md tells users to run 'curl -LsSf https://astral.sh/uv/install.sh | sh' to install uv and then 'uvx install minimax-coding-plan-mcp'. Downloading and executing a remote install script (astral.sh) is higher risk than using vetted package managers or published release artifacts. The MCP install is opaque (uvx-managed), so the skill effectively causes third-party code to be fetched and executed.
!
Credentials
The registry lists no required environment variables, but the scripts and SKILL.md clearly require MINIMAX_API_KEY (or a config file with an api_key). Requesting an API key for the service itself is reasonable, but the metadata omission is a red flag. Passing the API key to the external 'uvx' process (via env) means the external MCP will have access to the credential; consider whether that key has limited scope and whether you trust the upstream service.
Persistence & Privilege
The skill is not marked always:true and does not request unusual platform privileges. It writes/reads only within ~/.openclaw paths for its own config and workspace. The agent-autonomy default remains allowed (disable-model-invocation is false) but that is normal and not by itself a problem.
What to consider before installing
This skill's functionality is coherent, but the metadata omits two important runtime requirements: the 'uvx' binary (uv/uvx) and a MINIMAX_API_KEY. The install steps require executing a remote install script (astral.sh) and installing a third-party MCP package that will run with your API key. Before installing: (1) verify the source/trustworthiness of astral.sh and the minimax-coding-plan-mcp package (look for official project pages or signed releases), (2) avoid running curl | sh from unknown domains — prefer package managers or manual review, (3) give the MiniMax API key limited scope and do not reuse sensitive credentials, (4) insist the registry metadata be updated to declare required binaries and MINIMAX_API_KEY so you can make an informed consent decision. If you cannot verify the upstream project or prefer not to run remote installers, do not install this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978e23ap01yxc8fe55qwzw5v5831pf8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

minimax-tools

整合版 MiniMax 工具集,包含图像理解 和网络搜索功能。

功能列表

功能说明命令
图像理解分析图片内容、识别物体文字场景understand_image.py
网络搜索搜索资讯、新闻、资料web_search.py

快速开始

首次使用(需要在目标设备上执行)

步骤 1: 安装依赖

# 检查 uvx 是否可用
which uvx

# 如果不存在,安装 uv
curl -LsSf https://astral.sh/uv/install.sh | sh

步骤 2: 安装 MCP 服务器

uvx minimax-coding-plan-mcp --help

如果提示未安装,执行:

uvx install minimax-coding-plan-mcp

步骤 3: 配置 API Key

如果没有 MiniMax API Key,需要购买:https://platform.minimaxi.com/subscribe/coding-plan?code=GjuAjhGKqQ&source=link

配置 API Key:

mkdir -p ~/.openclaw/config
cat > ~/.openclaw/config/minimax.json << EOF
{
  "api_key": "你的API密钥",
  "output_path": "~/.openclaw/workspace/minimax-output"
}
EOF

或者设置环境变量:

export MINIMAX_API_KEY="你的API密钥"

使用方法

图像理解

# 描述图片内容
python3 ~/.openclaw/workspace/.agents/skills/minimax-tools/scripts/understand_image.py ~/image.jpg "详细描述这张图片"

# 使用 URL
python3 ~/.openclaw/workspace/.agents/skills/minimax-tools/scripts/understand_image.py "https://example.com/image.jpg" "这张图片展示了什么?"

网络搜索

# 搜索内容
python3 ~/.openclaw/workspace/.agents/skills/minimax-tools/scripts/web_search.py "今天的热点新闻"

# 搜索技术问题
python3 ~/.openclaw/workspace/.agents/skills/minimax-tools/scripts/web_search.py "Python 如何处理 JSON"

迁移到其他设备

需要复制到新设备的内容:

  1. 脚本目录

    ~/.openclaw/workspace/.agents/skills/minimax-tools/scripts/

  2. 配置文件

    • 复制 ~/.openclaw/config/minimax.json,或
    • 在新设备设置环境变量 MINIMAX_API_KEY

  3. 依赖安装(在新设备上执行):

    # 安装 uv(如需要)
curl -LsSf https://astral.sh/uv/install.sh | sh

# 安装 MCP 服务器
uvx install minimax-coding-plan-mcp

脚本说明

understand_image.py

  • 优先从环境变量 MINIMAX_API_KEY 读取 API Key
  • 如未设置则从 ~/.openclaw/config/minimax.json 读取
  • 支持本地图片路径和 URL

web_search.py

  • 优先从环境变量 MINIMAX_API_KEY 读取 API Key
  • 如未设置则从 ~/.openclaw/config/minimax.json 读取
  • 返回格式化的搜索结果

常见问题

Q: 提示 "uvx: command not found"

需要安装 uv,参见步骤 1

Q: 提示 "API Key 未配置"

需要配置 MiniMax API Key,参见步骤 3

Q: MCP 服务器连接失败

检查网络连接,或尝试重新安装:uvx install minimax-coding-plan-mcp

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…