minimax-understand-image
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s image-analysis purpose is coherent, but it needs review because it asks to inspect local auth profiles for an API key and runs an unpinned external MCP package.
Install only if you are comfortable using MiniMax for the selected images and prompts. Prefer setting MINIMAX_API_KEY yourself instead of letting the skill inspect auth-profiles.json, verify the minimax-coding-plan-mcp package source/version, and run it from an environment that does not contain unrelated secrets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may open a local file that can contain stored account credentials or profiles, potentially bringing more secrets into context than the image-analysis task requires.
The workflow directs the agent to inspect a local auth-profile store for a MiniMax API key and then persist a key in a local config file. Although it says to confirm use of a matching key, the auth-profile read itself is sensitive and not narrowly implemented in the included code.
尝试从 ~/.openclaw/agents/main/agent/auth-profiles.json 中的配置文件中获取 ... 找到匹配的 Key 后,询问用户确认是否使用 ... cat > ~/.openclaw/config/minimax.json
Require explicit user approval before reading auth-profiles.json, declare the MiniMax credential/config path in metadata, only parse a specific MiniMax profile, avoid displaying unrelated secrets, and store the key with restrictive file permissions.
If the user's shell contains unrelated tokens or secrets, the external MCP process can access them even though they are not needed for image analysis.
The spawned minimax-coding-plan-mcp process inherits the user's full environment in addition to MINIMAX_API_KEY and MiniMax-specific settings.
env={**os.environ, **env}Run the skill from a clean environment or update the script to pass only the minimal environment variables needed for the MCP server, such as PATH, HOME, and MiniMax-specific variables.
The behavior of the skill depends on code fetched from external package sources at setup/runtime, so future package changes could affect what runs locally.
The setup instructions download and execute an installer script and install an unpinned external MCP package. This is user-directed and related to the skill's purpose, but the package source/version is not pinned in an install spec.
curl -LsSf https://astral.sh/uv/install.sh | sh ... uvx install minimax-coding-plan-mcp
Pin the MCP package version, provide a formal install spec or checksum/provenance details, and prefer reviewed installation steps over piping downloaded scripts directly to a shell.