ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

minimax-web-search

v1.0.7

使用 MiniMax MCP 进行网络搜索。触发条件:(1) 用户要求进行网络搜索、在线搜索、查找信息 (2) 需要查询最新资讯、新闻、资料 (3) 使用 MiniMax 的 web_search 功能

2· 3.9k·52 current·53 all-time
by要啥自行车@thincher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and instructions: the skill runs a local MCP client (uvx minimax-coding-plan-mcp) and forwards a 'web_search' JSON-RPC call using a MiniMax API key. Required artifacts (uvx, MCP, API key, config file) are consistent with a web-search integration.
Instruction Scope
Runtime instructions are narrowly scoped to installing/using uvx, checking/creating ~/.openclaw/config/minimax.json for an API key, and invoking scripts/web_search.py. They do not request unrelated files, credentials, or send data to unexpected endpoints in the instructions.
!
Install Mechanism
The SKILL.md recommends running a remote installer via 'curl -LsSf https://astral.sh/uv/install.sh | sh'. This is a high-risk pattern because it downloads and executes code from a third-party URL instead of a vetted package repository or release host. The domain is not an obvious well-known release host (e.g., GitHub releases) and the instructions encourage piping to sh and swapping PyPI mirrors, raising the chance of supply-chain/mitm issues. This is the primary security concern.
Credentials
The skill does not request unrelated credentials. It uses MINIMAX_API_KEY (or a config file entry) which is appropriate for a service-integrated search tool. It stores the key in ~/.openclaw/config/minimax.json (plaintext) — expected but the user should be aware of plaintext storage.
Persistence & Privilege
The skill does not request always: true or other elevated agent privileges. It writes its own config under the user's home (~/.openclaw) and runs a local uvx process; this is expected for the described workflow and not excessive.
What to consider before installing
This skill appears to do what it says (call a MiniMax MCP web_search), but the installer recommendation 'curl https://astral.sh/uv/install.sh | sh' is a risky pattern: it executes remote code on your machine. Before installing, review the installer script on astral.sh yourself (download it and inspect it), prefer getting 'uvx' from an audited package source or official documentation, and consider running installation in a sandbox or VM. Note the skill asks you to save your MiniMax API key in plaintext at ~/.openclaw/config/minimax.json — ensure you trust the MiniMax service and the skill's origin before storing secrets. If you cannot verify the installer or provenance, treat this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978gb9zdr2racgbtxg739enc981w0z6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments