ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-understand-image

v1.0.3

使用 MiniMax MCP 进行图像理解和分析。触发条件:(1) 用户要求分析图片、理解图像、描述图片内容 (2) 需要识别图片中的物体、文字、场景 (3) 使用 MiniMax 的 understand_image 功能

6· 4.2k·42 current·46 all-time
by要啥自行车@thincher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included script align with calling MiniMax's understand_image via an MCP helper. The code uses MINIMAX_API_KEY and calls a minimaxi.com host, which is coherent. However the SKILL.md also instructs the agent to look through other agent auth profiles (~/.openclaw/agents/main/agent/auth-profiles.json) to harvest a key — that access is not strictly necessary for image understanding and broadens the scope.
!
Instruction Scope
SKILL.md tells the operator/agent to: (a) search ~/.openclaw/agents/main/agent/auth-profiles.json for keys whose names contain 'minimax' and prompt the user to reuse them, (b) ask the user to provide the API key if not found, and (c) save the key into ~/.openclaw/config/minimax.json. Reading another agent's auth-profiles is scope creep because it may expose unrelated credentials. The doc also instructs running a remote install script via curl | sh (see install_mechanism), which grants the installer broad discretion. Note: the provided Python script itself does not implement reading auth-profiles.json (it only reads env or ~/.openclaw/config/minimax.json) — so there is a discrepancy between the prose instructions and the code.
Install Mechanism
There is no packaged install spec in the registry, but SKILL.md recommends installing 'uvx' via curl -LsSf https://astral.sh/uv/install.sh | sh and then using uvx to install minimax-coding-plan-mcp. Executing a remote install script via curl|sh is a common pattern but carries risk — you should review the install script before running it. The suggested alternate mirrors change PYPI index URLs (UV_INDEX_URL) which is reasonable for local mirrors but also expands sources used during install.
Credentials
The skill does not declare required environment variables in metadata, and the code only needs MINIMAX_API_KEY (or the config file) — that is proportionate. However the SKILL.md's instruction to search other agent auth profiles for keys could expose unrelated credentials. Storing the API key plaintext in ~/.openclaw/config/minimax.json is expected but has persistence implications the user should consider.
Persistence & Privilege
always is false and the skill does not request elevated privileges. It suggests writing its own config at ~/.openclaw/config/minimax.json, which is normal for storing its API key. It does not modify other skills' configuration or system-wide settings in the provided code.
What to consider before installing
This skill appears to do what it says (call MiniMax's understand_image tool), but review these points before installing: (1) do not blindly run curl | sh install commands — inspect https://astral.sh/uv/install.sh yourself or obtain uvx from a trusted package source; (2) the SKILL.md suggests searching ~/.openclaw/agents/main/agent/auth-profiles.json for API keys — avoid allowing automated scanning of other agents' auth files, and manually confirm any credential reuse; (3) if you provide an API key, be aware it will be stored plaintext at ~/.openclaw/config/minimax.json unless you change the behavior; (4) verify the minimaxi.com host and that you trust the MiniMax service; (5) note the discrepancy between the prose (which suggests reading other auth files) and the script (which reads only MINIMAX_API_KEY or ~/.openclaw/config/minimax.json). If you are uncomfortable with any of the above, do not install or run the installer until those concerns are addressed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9703cybp9627x9fyshehww35x81szez

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

minimax-understand-image

使用 MiniMax MCP 服务器进行图像理解和分析。

执行流程(首次需要安装,后续直接步骤4调用)

步骤 1: 检查并安装依赖

1.1 检查 uvx 是否可用

which uvx

如果不存在,安装 uv:

方法 1: 使用官方安装脚本(推荐)

curl -LsSf https://astral.sh/uv/install.sh | sh

方法 2: 使用国内镜像加速(如果官方脚本下载失败)

临时使用清华镜像源安装:

export UV_INDEX_URL="https://pypi.tuna.tsinghua.edu.cn/simple"
curl -LsSf https://astral.sh/uv/install.sh | sh

或者临时使用阿里云镜像源:

export UV_INDEX_URL="https://mirrors.aliyun.com/pypi/simple/"
curl -LsSf https://astral.sh/uv/install.sh | sh

1.2 检查 MCP 服务器是否已安装

uvx minimax-coding-plan-mcp --help

执行命令判断是否MCP服务器已安装, 如果安装了跳到步骤 2。

1.3 安装 MCP 服务器(如果未安装)

方法 1: 使用默认源安装

uvx install minimax-coding-plan-mcp

方法 2: 使用国内镜像加速(如果默认源下载失败)

临时使用清华镜像源:

export UV_INDEX_URL="https://pypi.tuna.tsinghua.edu.cn/simple"
uvx install minimax-coding-plan-mcp

或者临时使用阿里云镜像源:

export UV_INDEX_URL="https://mirrors.aliyun.com/pypi/simple/"
uvx install minimax-coding-plan-mcp

步骤 2: 检查 API Key 配置

cat ~/.openclaw/config/minimax.json 2>/dev/null | python3 -c "import json,sys; d=json.load(sys.stdin); print(d.get('api_key', ''))"

如果返回非空的 API Key,跳到步骤 4。

步骤 3: 配置 API Key(如果未配置)

3.1 尝试从 ~/.openclaw/agents/main/agent/auth-profiles.json 中的配置文件中获取

根据返回的判断:

  • 名称包含 "minimax" 或 "MiniMax"

找到匹配的 Key 后,询问用户确认是否使用。

3.2 如果没有找到 Key,向用户索要

直接询问用户提供 MiniMax API Key。 如果未购买MiniMax,购买地址为: https://platform.minimaxi.com/subscribe/coding-plan?code=GjuAjhGKqQ&source=link

3.3 保存 API Key

mkdir -p ~/.openclaw/config
cat > ~/.openclaw/config/minimax.json << EOF
{
  "api_key": "API密钥",
  "output_path": "~/.openclaw/workspace/minimax-output"
}
EOF

步骤 4: 使用 MCP 处理图像

4.1 准备图片

将图片放到可访问路径,例如:

  • ~/.openclaw/workspace/images/图片名.jpg
  • 或者使用 URL

4.2 调用 understand_image

使用脚本调用 MCP 服务:

python3 {curDir}/scripts/understand_image.py <图片路径或URL> "<对图片的提问>"

示例:

# 描述图片内容
python3 {curDir}/scripts/understand_image.py ~/image.jpg "详细描述这张图片的内容"

# 使用 URL
python3 {curDir}/scripts/understand_image.py "https://example.com/image.jpg "这张图片展示了什么?"

4.3 API 参数说明

参数说明类型
image图片路径或 URLstring (必填)
prompt对图片的提问string (必填)

脚本说明

脚本位置:{curDir}/scripts/understand_image.py

功能:

  • 优先从环境变量 MINIMAX_API_KEY 读取 API Key,如果没有则从 ~/.openclaw/config/minimax.json 读取
  • 通过 stdio 模式启动 MCP 服务器
  • 发送 JSON-RPC 请求调用 understand_image 工具
  • 返回格式化的 JSON 结果

错误处理:

  • API Key 未配置时提示错误
  • uvx 未安装时提示安装命令
  • MCP 服务器错误时显示 stderr 输出

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…