MiniMax Image Generation

PassAudited by ClawScan on May 10, 2026.

Overview

The skill coherently integrates MiniMax image generation, with normal cautions around API-key handling, uploading reference images, and saved output files.

Use this skill if you are comfortable sending prompts and selected reference images to MiniMax. Store MINIMAX_API_KEY securely, avoid command-line API keys when possible, confirm any reference image path before upload, and check the local output directory for generated files.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Info

#ASI02: Tool Misuse and Exploitation

What this means

Generated images will remain on disk and may be written to a chosen directory.

Why it was flagged

The script downloads provider-returned image content and writes it to local disk. This is the expected output behavior, but users should know files persist and the save directory can be changed.

Skill content

parser.add_argument("--save-dir", dest="save_dir", default="~/.openclaw/workspace/assets/images", help="保存目录") ... with open(filepath, 'wb') as f: f.write(img_response.content)

Recommendation

Use the default workspace or review any --save-dir value before running, and delete unwanted generated files.

Low

#ASI03: Identity and Privilege Abuse

What this means

If the API key is exposed, someone else could use the MiniMax account or consume credits.

Why it was flagged

The skill uses a MiniMax bearer credential to call the provider API and also allows the key to be passed on the command line. This is expected for the service, but the credential grants account/API access.

Skill content

api_key = api_key or os.getenv("MINIMAX_API_KEY") ... "Authorization": f"Bearer {api_key}" ... parser.add_argument("--api-key", dest="api_key")

Recommendation

Prefer MINIMAX_API_KEY in a secret manager or environment variable, avoid passing keys via --api-key, and rotate the key if it may have been exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Private or personal reference images may be shared with MiniMax when used for image-to-image generation.

Why it was flagged

For image-to-image generation, a local reference image selected with --local is encoded into the API request and sent to MiniMax. This is purpose-aligned, but sensitive photos leave the local environment.

Skill content

with open(local_file, "rb") as f: img_base64 = base64.b64encode(f.read()).decode() ... "image_file": image_file ... requests.post(url, json=payload, headers=headers, timeout=60)

Recommendation

Only provide reference images you intend to upload to MiniMax, and verify the local file path before invoking the skill.