ClawHub

minimax文生图技能

PassAudited by ClawScan on May 11, 2026.

Overview

This is a coherent MiniMax text-to-image skill that uses an expected API key and external API, with minor setup/metadata gaps users should notice.

This skill appears safe for its stated purpose. Before installing, understand that your prompts and API key are used with MiniMax, generated images are downloaded and saved locally, and you may need to install the requests Python package yourself.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI03: Identity and Privilege Abuse
What this means

Using the skill requires a MiniMax API key and may consume the user's MiniMax account quota or billing.

Why it was flagged

The script uses a MiniMax API key as a bearer credential to call the stated MiniMax API. This is expected for the integration, but the registry metadata lists no required environment variables or primary credential.

Skill content
self.api_key = api_key or os.environ.get("MINIMAX_API_KEY", "") ... "Authorization": f"Bearer {self.api_key}"
Recommendation

Set MINIMAX_API_KEY only in a trusted environment, rotate it if exposed, and confirm the key has only the permissions needed for image generation.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Prompt text is sent to MiniMax, generated image URLs are fetched, and image files are saved locally.

Why it was flagged

The code sends the user's prompt to the MiniMax image-generation endpoint, then downloads returned image URLs and writes them to disk. This is purpose-aligned but is still a network-and-file-write capability.

Skill content
response = requests.post(API_URL, json=payload, headers=self.headers, timeout=120) ... img_response = requests.get(url, timeout=60) ... f.write(img_response.content)
Recommendation

Avoid putting private or sensitive information in prompts, and choose an output directory you are comfortable using.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing dependencies manually can introduce normal package-supply-chain risk if done in an untrusted environment.

Why it was flagged

The skill documents a Python dependency but has no install spec or pinned dependency declaration. This is common for a simple API wrapper, but users must manage installation provenance themselves.

Skill content
## 依赖

```
pip install requests
```
Recommendation

Install requests from a trusted package index in a virtual environment, and prefer pinned dependencies if packaging this skill for broader use.