ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Minimax Music Gyh

v1.0.0

MiniMax 音乐生成模型,支持 Music-2.5/Music-2 等模型,根据文本描述生成音乐。使用 MINIMAX_API_KEY 环境变量。

0· 50·0 current·0 all-time
by@skydream9527-ctrl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script implements a music-generation client that uses MINIMAX_API_KEY and talks to an API host (api.minimaxi.com), which aligns with the skill description. However, the registry metadata did not declare MINIMAX_API_KEY as a required environment variable (declared required env vars: none), and _meta.json ownerId/name fields differ from the registry owner; these mismatches reduce confidence in provenance/documentation completeness.
Instruction Scope
SKILL.md instructs running the included Python script and installing requests, which is appropriate. The script only uses MINIMAX_API_KEY and network calls to api.minimaxi.com. One important behavior: the script accepts a download_url from the API response and will fetch and write that arbitrary URL to disk — expected for file retrieval but it means whatever URL the API returns will be downloaded (possible SSRF/unsanitized remote fetch risk).
Install Mechanism
No install spec; the skill is instruction-only with a small included script and requires python3 and the requests package. This low-risk install model writes no installers or external binaries.
!
Credentials
The code requires a single API key (MINIMAX_API_KEY) which is proportional to the described functionality, but the registry did not list this env var or a primary credential. That mismatch (declared requirements vs. actual runtime needs) is a documentation/provenance concern and could mislead users about what secrets are exposed to the skill.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system privileges, and does not modify other skills' configs. It runs as an invoked script only.
What to consider before installing
This skill's code appears to do what it says (call a remote music-generation API and save an MP3), but pay attention to three things before installing: (1) The registry metadata does not declare the required MINIMAX_API_KEY — verify where the API key should come from and that you trust the provider. (2) The source/homepage is unknown and owner fields are inconsistent — prefer skills with clear provenance or inspect the code yourself. (3) The script will download whatever download_url the API returns and write it to disk; run the skill in an isolated environment or sandbox, and ensure network egress policies are acceptable to avoid accidental retrieval of internal resources. If you need higher assurance, ask the publisher for a canonical homepage/release or run the small script in a controlled test environment and review responses from api.minimaxi.com before using production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edspdckvtt7hdjpk9qkvfyh84pxtc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎵 Clawdis
Binspython3

Comments