Minimax Usage
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: minimax-usage Version: 1.0.1 The skill bundle is designed to monitor Minimax API usage. The `minimax-usage.sh` script uses `curl` to query the legitimate Minimax API endpoint, authenticating with an API key sourced from a `.env` file. While there is a discrepancy between the `SKILL.md` instructions for `.env` file placement and the script's actual path (`../../.env`), this appears to be a functional bug or a common pattern for shared environment variables, not an attempt at data exfiltration or malicious access. There is no evidence of prompt injection, unauthorized execution, persistence mechanisms, or obfuscation. All actions align with the stated purpose of monitoring API usage.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may read credentials from a different, broader .env file than the user expects, such as a shared OpenClaw or project-level config file.
The script loads account credentials from a .env file two directories above the script, while the user-facing setup text says the .env should be in the same directory and the registry metadata declares no required env vars or primary credential.
source "$(dirname "$0")/../../.env"
API_KEY="${MINIMAX_CODING_API_KEY}"
GROUP_ID="${MINIMAX_GROUP_ID}"Before use, verify the exact .env path. Prefer changing the script to read a clearly scoped same-directory config file and declare MINIMAX_CODING_API_KEY and MINIMAX_GROUP_ID in metadata.
If that parent .env file contains shell commands or has been modified unexpectedly, running the usage check could execute those commands locally.
Using shell source executes the contents of the referenced .env file rather than only parsing key/value pairs, and the referenced file is outside the documented same-directory location.
source "$(dirname "$0")/../../.env"
Use a safer parser for only the two needed variables, or source only a trusted, skill-local .env file after user review.