ClawHub

Minimax Text

PassAudited by ClawScan on May 10, 2026.

Overview

This appears to be a straightforward MiniMax text-generation wrapper, but users should know it sends prompts to MiniMax and uses a MiniMax API key that is not declared in the registry requirements.

This skill looks coherent and benign for MiniMax text generation. Before installing, make sure you are comfortable providing a MiniMax API key, sending prompts to MiniMax, and manually installing the Python requests package. Use the optional --output path carefully so you do not overwrite files unintentionally.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Anyone using the skill must provide a MiniMax API key, and requests may be billed or attributed to that account.

Why it was flagged

The script uses a MiniMax API key as a bearer token. This is expected for the stated MiniMax integration, but it is a credential that may allow account usage or charges.

Skill content
API_KEY = os.environ.get("MINIMAX_API_KEY") ... HEADERS = {"Authorization": f"Bearer {API_KEY}"}
Recommendation

Use a dedicated MiniMax key if possible, keep it out of shared logs, and apply any provider-side spending or scope limits available.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Text you ask the skill to process may be transmitted to MiniMax's service.

Why it was flagged

The skill sends the prompt, optional system prompt, and optional message history to an external MiniMax API endpoint. This is purpose-aligned but crosses a data boundary.

Skill content
API_HOST = "https://api.minimaxi.com" ... requests.post(url, headers=HEADERS, json=payload, timeout=120)
Recommendation

Do not send secrets, private documents, or regulated data unless MiniMax's terms and your account settings are acceptable for that data.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The exact installed dependency version depends on the user's Python package environment.

Why it was flagged

The setup instructions require installing an unpinned Python dependency. This is common and expected for the HTTP client used by the script, but it is not captured by an install spec.

Skill content
- `pip3 install requests`
Recommendation

Install dependencies in a virtual environment from a trusted package index, and consider pinning requests to a known-good version.