ClawHub

Minimax Text

AdvisoryAudited by VirusTotal on Apr 12, 2026.

Overview

Type: OpenClaw Skill Name: minimax-text Version: 1.0.0 The skill bundle provides a standard interface for interacting with the MiniMax text generation API. The Python script `scripts/text.py` correctly handles API authentication via the MINIMAX_API_KEY environment variable and communicates exclusively with the official MiniMax endpoint (api.minimaxi.com). No evidence of data exfiltration, malicious execution, or prompt injection was found in the code or documentation.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

Anyone using the skill must provide a MiniMax API key, and requests may be billed or attributed to that account.

Why it was flagged

The script uses a MiniMax API key as a bearer token. This is expected for the stated MiniMax integration, but it is a credential that may allow account usage or charges.

Skill content
API_KEY = os.environ.get("MINIMAX_API_KEY") ... HEADERS = {"Authorization": f"Bearer {API_KEY}"}
Recommendation

Use a dedicated MiniMax key if possible, keep it out of shared logs, and apply any provider-side spending or scope limits available.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Text you ask the skill to process may be transmitted to MiniMax's service.

Why it was flagged

The skill sends the prompt, optional system prompt, and optional message history to an external MiniMax API endpoint. This is purpose-aligned but crosses a data boundary.

Skill content
API_HOST = "https://api.minimaxi.com" ... requests.post(url, headers=HEADERS, json=payload, timeout=120)
Recommendation

Do not send secrets, private documents, or regulated data unless MiniMax's terms and your account settings are acceptable for that data.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

The exact installed dependency version depends on the user's Python package environment.

Why it was flagged

The setup instructions require installing an unpinned Python dependency. This is common and expected for the HTTP client used by the script, but it is not captured by an install spec.

Skill content
- `pip3 install requests`
Recommendation

Install dependencies in a virtual environment from a trusted package index, and consider pinning requests to a known-good version.