Skillv1.1.0

ClawScan security

MiniMax Video Generation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 10:57 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement the described video-generation features, but its declared requirements (no credentials) do not match the code and documentation which require a MINIMAX_API_KEY and network access—this mismatch is a meaningful incoherence you should understand before installing.
Guidance: Before installing or using this skill: (1) Be aware the script requires an API key (MINIMAX_API_KEY) despite the registry saying no env vars—confirm where that key comes from and do not supply unrelated credentials. (2) Verify the API domain (https://api.minimaxi.com) is the legitimate service you expect; check vendor/homepage contact or documentation if possible. (3) Understand that images you upload and generated videos are sent to that external service—avoid sending sensitive or private images unless you trust the provider and understand their retention/privacy policies. (4) The package has no install spec; ensure the runtime has Python and the 'requests' library available. (5) Consider running the included script in an isolated environment or container first, and test with a throwaway API key or low-privilege account to confirm behavior. If the registry metadata is updated to declare MINIMAX_API_KEY (and ideally provide an official homepage or publisher verification), the incoherence would be resolved and my confidence would improve.

Review Dimensions

Purpose & Capability: concernName/description and the included SKILL.md and script all describe a MiniMax video-generation integration and the code implements API calls to api.minimaxi.com, which is consistent with the stated purpose. However, the registry metadata declares no required credentials or primary credential while both SKILL.md examples and scripts require a MINIMAX_API_KEY. That omission is an incoherence between claimed requirements and actual capability.
Instruction Scope: concernRuntime instructions and the script perform network calls to https://api.minimaxi.com endpoints, read local image files (or accept image URLs), poll task status, and save generated video files into the user's home workspace (~/.openclaw/workspace/assets/videos). Those actions are expected for this purpose, but the SKILL.md/manifest do not declare the required API key and do not warn about privacy/PII of uploaded images or link expiry—this gives the skill broad discretion without clearly documented requirements.
Install Mechanism: noteThis is instruction-only with an included Python script (no install spec). That is low risk from an installer perspective. The script depends on 'requests' and standard libs but the package/dependency requirements are not declared (no requirements.txt). This is operationally inconvenient but not itself malicious.
Credentials: concernThe code requires an API key via the MINIMAX_API_KEY environment variable or --api-key argument, yet the skill metadata lists no required env vars or primary credential. Requesting an API key for the service itself is proportionate, but failing to declare it in the registry is a clear mismatch and could mislead users about necessary secrets and permissions.
Persistence & Privilege: okThe skill does not request 'always: true', does not modify other skills or system-wide settings, and is user-invocable. It does save files to a user-specific workspace directory, which is within normal scope for a content-generation tool.