Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
minimax-understand-image
v1.0.3使用 MiniMax MCP 进行图像理解和分析。触发条件:(1) 用户要求分析图片、理解图像、描述图片内容 (2) 需要识别图片中的物体、文字、场景 (3) 使用 MiniMax 的 understand_image 功能
⭐ 6· 5.3k·47 current·51 all-time
by要啥自行车@thincher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and included script align with calling MiniMax's understand_image via an MCP helper. The code uses MINIMAX_API_KEY and calls a minimaxi.com host, which is coherent. However the SKILL.md also instructs the agent to look through other agent auth profiles (~/.openclaw/agents/main/agent/auth-profiles.json) to harvest a key — that access is not strictly necessary for image understanding and broadens the scope.
Instruction Scope
SKILL.md tells the operator/agent to: (a) search ~/.openclaw/agents/main/agent/auth-profiles.json for keys whose names contain 'minimax' and prompt the user to reuse them, (b) ask the user to provide the API key if not found, and (c) save the key into ~/.openclaw/config/minimax.json. Reading another agent's auth-profiles is scope creep because it may expose unrelated credentials. The doc also instructs running a remote install script via curl | sh (see install_mechanism), which grants the installer broad discretion. Note: the provided Python script itself does not implement reading auth-profiles.json (it only reads env or ~/.openclaw/config/minimax.json) — so there is a discrepancy between the prose instructions and the code.
Install Mechanism
There is no packaged install spec in the registry, but SKILL.md recommends installing 'uvx' via curl -LsSf https://astral.sh/uv/install.sh | sh and then using uvx to install minimax-coding-plan-mcp. Executing a remote install script via curl|sh is a common pattern but carries risk — you should review the install script before running it. The suggested alternate mirrors change PYPI index URLs (UV_INDEX_URL) which is reasonable for local mirrors but also expands sources used during install.
Credentials
The skill does not declare required environment variables in metadata, and the code only needs MINIMAX_API_KEY (or the config file) — that is proportionate. However the SKILL.md's instruction to search other agent auth profiles for keys could expose unrelated credentials. Storing the API key plaintext in ~/.openclaw/config/minimax.json is expected but has persistence implications the user should consider.
Persistence & Privilege
always is false and the skill does not request elevated privileges. It suggests writing its own config at ~/.openclaw/config/minimax.json, which is normal for storing its API key. It does not modify other skills' configuration or system-wide settings in the provided code.
What to consider before installing
This skill appears to do what it says (call MiniMax's understand_image tool), but review these points before installing: (1) do not blindly run curl | sh install commands — inspect https://astral.sh/uv/install.sh yourself or obtain uvx from a trusted package source; (2) the SKILL.md suggests searching ~/.openclaw/agents/main/agent/auth-profiles.json for API keys — avoid allowing automated scanning of other agents' auth files, and manually confirm any credential reuse; (3) if you provide an API key, be aware it will be stored plaintext at ~/.openclaw/config/minimax.json unless you change the behavior; (4) verify the minimaxi.com host and that you trust the MiniMax service; (5) note the discrepancy between the prose (which suggests reading other auth files) and the script (which reads only MINIMAX_API_KEY or ~/.openclaw/config/minimax.json). If you are uncomfortable with any of the above, do not install or run the installer until those concerns are addressed.Like a lobster shell, security has layers — review code before you run it.
latestvk9703cybp9627x9fyshehww35x81szez
License
MIT-0
Free to use, modify, and redistribute. No attribution required.