Skillv1.1.0

ClawScan security

MiniMax Music Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 10:57 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions mostly match a music-generation tool, but the package metadata omits the required API credential and dependency notes — this mismatch and file-writing/network behavior deserve caution before installing.
Guidance: What to consider before installing: (1) The package metadata fails to declare the MAIN secret it uses — MINIMAX_API_KEY — so expect to supply an API key. Verify whether you trust https://api.minimaxi.com before giving a key; network calls will send your prompts/lyrics and the API key to that service. (2) The scripts write files to ~/.openclaw/workspace/assets/music and will download audio from URLs provided by the API — if you need to keep outputs private, run in a sandbox or change save paths. (3) The repo does not declare runtime requirements (Python version, requests). Ensure you run these scripts in a controlled environment and inspect them (we reviewed them: they are straightforward HTTP calls and file writes). (4) If you are unsure about the MiniMax service legitimacy, create a restricted/test API key with minimal permissions or avoid installing. (5) If you plan to allow autonomous agent invocation, be aware the agent could call the external API automatically and use your provided key — only enable that if you trust the skill and service.

Review Dimensions

Purpose & Capability: concernThe name/description and the included scripts all implement lyrics + music generation and call https://api.minimaxi.com endpoints as expected. However the registry metadata declares no required environment variables or primary credential, while every example and every script requires the MINIMAX_API_KEY; that mismatch is incoherent and could mislead users about what secrets will be needed.
Instruction Scope: noteSKILL.md and the scripts instruct the agent/user to call the external MiniMax APIs, save lyrics (.txt) and audio (.mp3) under ~/.openclaw/workspace/assets/music, and download audio from URLs returned by the API. Those actions are within the stated purpose. The instructions do access an environment variable (MINIMAX_API_KEY) and write to user home paths — both expected for this skill but not declared in metadata. There are no instructions to read unrelated system files or transmit data to unexpected endpoints.
Install Mechanism: noteNo install spec (instruction-only) — lower risk because nothing arbitrary is downloaded. Scripts require Python and the 'requests' library, but the skill metadata does not declare these dependencies; this omission may cause runtime errors and is a minor coherence issue (should declare runtime requirements).
Credentials: concernThe code unambiguously requires MINIMAX_API_KEY (read via os.getenv) for API authentication, yet the registry lists no required env vars or primary credential. Requesting an API key for the external MiniMax service is appropriate for the stated purpose, but the omission from metadata is misleading and could hide the need to provide a secret. No other unrelated credentials are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated platform privileges. It writes output files under ~/.openclaw/workspace/assets/music (its own workspace) and does not modify other skills or system-wide settings. This level of local file writing is expected for a content-generation tool.