ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Token Plan 余额查询

v1.1.1

查询 MiniMax Token Plan 订阅套餐余额。引导用户配置 API Key(通过 openclaw config set 保存到本地环境变量),查询 M2.7 请求次数、TTS 字符、视频/图片生成配额等。

0· 78·1 current·1 all-time
by@superuser-fank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill legitimately needs an API key and makes calls to a MiniMax API endpoint, which matches its description. However, the package metadata lists no required environment variables or primary credential even though SKILL.md and scripts rely on MINIMAX_API_KEY. That mismatch is unexplained and reduces trust.
!
Instruction Scope
SKILL.md instructs users to 'paste the Key to me' (the agent) or save it via `openclaw config set`. Asking users to paste a secret into a chat can expose the key to the model/service; the skill claims the key is only stored locally but the instructions also encourage direct pasting. The runtime instructions otherwise stay within the staking purpose and only reference MiniMax endpoints.
Install Mechanism
No install spec (instruction-only with a small script) — nothing is downloaded or extracted. That's low-risk from an installation perspective.
!
Credentials
The script and SKILL.md expect an environment variable MINIMAX_API_KEY, and the script uses curl and python3, but the registry metadata declares no required env vars or binaries. Requiring a secret without declaring it is disproportionate and undocumented. Also, the skill recommends storing the key via OpenClaw config; users should verify how and where that is stored.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or modify other skills. It only suggests saving a key to the agent's OpenClaw config (normal behavior).
What to consider before installing
This skill mostly does what it says (queries MiniMax usage), but there are important caveats: 1) The skill expects an environment variable MINIMAX_API_KEY and the script uses curl and python3, yet the registry metadata doesn't declare these — ask the author to add MINIMAX_API_KEY to required envs and list runtime deps. 2) SKILL.md asks you to paste your API key into the chat. Avoid pasting long-lived secrets into conversation with an agent unless you trust the platform; prefer saving the key via `openclaw config set` yourself and confirm how OpenClaw stores/encrypts the config. 3) If you proceed, create a limited-scope or test Token Plan key (not your primary account key) so exposure risk is minimized. 4) Request the maintainer to document: required env var, required binaries (curl, python3), and to avoid instructing users to paste secrets into chat; prefer CLI-only configuration flows. If these issues are fixed or clarified, the skill is reasonable to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5afm2qw5qwvns2z4mtbfhx83t2rq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments