ClawHub

Minimax Usage

v1.0.1

Monitor Minimax Coding Plan usage to stay within API limits. Fetches current usage stats and provides status alerts.

1· 3.5k·15 current·15 all-time
bySeth Rose@thesethrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (monitor Minimax coding-plan usage) matches what the script does (HTTP GET to minimax platform using an API key and GroupId). However the registry metadata declares no required environment variables or credentials while both SKILL.md and the script require MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID. This mismatch is incoherent and should have been declared.
!
Instruction Scope
SKILL.md instructs the user to create a .env 'in the same directory as the script', but the script actually sources "$(dirname "$0")/../../.env" (two directories up). That difference means the script may read a .env in an unexpected location (potentially unrelated environment data). The script only sends data to platform.minimax.io (expected), and does not appear to exfiltrate to other endpoints, but the incorrect source path is a scope creep/risk because it can pull in variables the author didn't intend.
Install Mechanism
No install spec (instruction-only plus a shell script). Nothing is downloaded or written during an install step, which is low risk. The provided script is executed locally and not installed from remote URLs.
!
Credentials
The script needs MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID (proportionate to the task). However the registry lists no required env vars (incoherent). Additionally the script sources a .env file from ../../.env which could load many other environment variables not intended for this skill; that's a proportionality risk. The script also relies on jq and curl but required binaries were not declared in metadata.
Persistence & Privilege
The skill does not request permanent presence (always:false). It does not modify other skills or system-wide settings and does not persist credentials; it simply reads variables and makes a single API call. Autonomous invocation is enabled by default (normal).
What to consider before installing
Before installing or running this skill: 1) Do not assume the metadata lists required credentials — the script expects MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID. 2) Inspect and fix the .env sourcing path: SKILL.md says create .env next to the script but the script sources ../../.env. Either place your .env two levels up (risky) or edit the script to source a local .env (e.g., source "$(dirname "$0")/.env"). 3) Ensure jq and curl are available (jq is used but not declared). 4) Keep the .env file minimal — only include the two Minimax values; don't put other secrets in that file if you keep it at ../../.env. 5) Run the script in an isolated environment (container or sandbox) until you confirm it behaves as expected. 6) Prefer the registry metadata to be updated to declare the env vars and required binaries; if you cannot verify or change the script, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767c1q619fy5xt4wdgyy4b8n7zcrk7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments