Skillv1.0.0

ClawScan security

Minimax Tts Gyh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 12, 2026, 3:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a straightforward MiniMax TTS client and mostly behaves as described, but the package metadata fails to declare the required MINIMAX_API_KEY (and there is a small owner/slug mismatch), which is an incoherence you should resolve before trusting the skill.
Guidance: This appears to be a normal client for a MiniMax TTS API, but before installing: 1) do not provide sensitive or broad credentials — the script only needs a service-specific MINIMAX_API_KEY, so use a limited-scope key or test key; 2) confirm the API host (https://api.minimaxi.com) is the official vendor and acceptable for your data; 3) ask the publisher to fix the metadata to declare MINIMAX_API_KEY as a required credential and to resolve the owner/slug mismatch; 4) inspect the script (already included) and, if possible, run it in a sandbox or with non-production credentials; 5) be aware the script will write files to the specified output path and will follow a download_url returned by the API (so a compromised API could cause the client to fetch from other hosts). If the metadata is corrected and the API host verified, the skill becomes coherent and lower risk.

Review Dimensions

Purpose & Capability: concernThe script and SKILL.md both require a MINIMAX_API_KEY and call a MiniMax API host (https://api.minimaxi.com), which is coherent with a TTS client. However the registry/metadata lists no required environment variables or primary credential — an explicit omission that contradicts the code and instructions. _meta.json_ ownerId ('gyh') does not match the registry owner ID, which may indicate packaging/copy issues.
Instruction Scope: okRuntime instructions and the included script stay inside the TTS use case: they require Python+requests, call the MiniMax API endpoints, poll async tasks, download returned audio, and write an output file. The SKILL.md does not instruct reading unrelated files or exfiltrating data beyond the TTS API.
Install Mechanism: okNo install spec is provided (instruction-only plus a bundled script). There are no remote downloads or archive extracts in the install metadata. The only runtime dependency is the Python requests package, which the README suggests installing with pip.
Credentials: concernThe code requires the MINIMAX_API_KEY environment variable, but the skill metadata claims no required env vars or primary credential. Requesting an API key is expected for this purpose, but the metadata omission is misleading and could cause accidental missing prompts or credential misuse. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill does not request persistent or elevated platform privileges (always:false). It only writes audio output files to the path the user supplies; it does not modify other skills or system-wide configuration.