ClawHub

Minimax Tts Gyh

Security checks across malware telemetry and agentic risk

Overview

This looks like a straightforward MiniMax text-to-speech wrapper, but it sends your text to MiniMax and uses an API key that the registry metadata does not fully declare.

Install this only if you are comfortable sending the text you synthesize to MiniMax and using a MiniMax API key from your environment. Install the requests dependency from a trusted source, and choose output paths carefully so generated MP3 files do not overwrite anything important.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Any text you convert may be transmitted to MiniMax for processing.

Why it was flagged

The script sends the user's input text to the MiniMax API as part of the TTS request. This is expected for a cloud TTS service, but it means the text leaves the local environment.

Skill content
"text": text, ... resp = requests.post(url, headers=HEADERS, json=payload, timeout=60)
Recommendation

Avoid submitting confidential or regulated text unless MiniMax's terms and your own data-handling requirements allow it.

#
ASI03: Identity and Privilege Abuse
Low
What this means

The skill can make MiniMax API calls using the API key available in the environment.

Why it was flagged

The skill uses a MiniMax API credential from the environment and sends it as a Bearer token to the MiniMax API. This is purpose-aligned, but users should know it requires account/API-key authority even though the registry metadata lists no primary credential.

Skill content
API_KEY = os.environ.get("MINIMAX_API_KEY") ... HEADERS = {"Authorization": f"Bearer {API_KEY}"}
Recommendation

Use a MiniMax API key with appropriate scope and billing limits, and do not expose it in shared shells or logs.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

Installation depends on whatever requests package/version your environment resolves at install time.

Why it was flagged

The setup instructions require installing the Python requests package manually and do not pin a version. This is a common, purpose-aligned dependency step, but it is not captured by an install spec or lockfile.

Skill content
`pip3 install requests`
Recommendation

Install dependencies from a trusted package index, and consider pinning requests in controlled environments.