Minimax Mcp
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: minimax-mcp Version: 1.0.3 The skill bundle is classified as suspicious due to the inclusion of `curl -LsSf https://astral.sh/uv/install.sh | sh` as an installation method for `uv` in both `SKILL.md` and `references/examples.md`. While `uv` is a legitimate tool, executing arbitrary scripts directly from the internet via `curl | sh` introduces a significant supply chain vulnerability. If the `astral.sh` domain or the installation script itself were compromised, it could lead to remote code execution on the user's system. There is no clear evidence of intentional malicious behavior (e.g., data exfiltration, backdoors) by the skill author, but this risky installation practice constitutes a critical vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A changed or impersonated package could affect the MCP server behavior or how the MiniMax API key is used.
The setup runs a remote MCP package through uvx without a pinned version in the documented command. This is central to the skill and user-directed, but users should verify the package/source before installing.
--command "uvx minimax-coding-plan-mcp -y"
Install from a trusted package/source, consider pinning a known version, and compare it with the referenced MiniMax GitHub project before adding credentials.
The key may allow billable MiniMax API calls or quota consumption if misused.
The skill requires a MiniMax API key for its intended provider integration. This is expected, but it delegates account/API usage to the configured MCP server.
`MINIMAX_API_KEY` | ✅ | Your MiniMax API Key
Use a dedicated/regenerable API key where possible, keep it secret, monitor MiniMax usage, and revoke the key if you stop using the skill.
Sensitive images, URLs, search queries, or prompts could be sent to MiniMax for processing.
The examples show local images can be provided to the MiniMax image-understanding tool; because the skill operates through MiniMax API/MCP, user-provided images and prompts may be processed by the external provider.
image_source="/path/to/local/image.png"
Avoid submitting private or confidential files unless you are comfortable with MiniMax processing them, and review the provider’s data handling policy.