Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax CLI
v1.0.0MiniMax AI platform CLI — text, image, video, speech, music, vision, and web search from terminal or AI agents. Use when generating multimedia content (image...
⭐ 0· 62·0 current·0 all-time
byTyler@tylerdotai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md content are consistent: this is a CLI helper for the MiniMax platform. However, the skill instructs installing an external npm package (mmx-cli) and expects an API key and local config, yet the registry metadata declares no required environment variables or config paths — an incoherence between claimed requirements and actual usage.
Instruction Scope
The instructions tell users/agents to run `npm install -g mmx-cli` and to perform authenticated CLI actions (mmx auth login --api-key ...), reference an on-disk config (~/.mmx/config.json) and the MINIMAX_API_KEY env var. Those sensitive artifacts are not declared in the skill's metadata. The SKILL.md tells the agent to install and execute third-party code and to write/read local config, which expands scope beyond a harmless instruction-only helper.
Install Mechanism
There is no formal install spec in the skill bundle, but the guidance explicitly directs a global npm install of `mmx-cli`. Installing a third-party npm package executes network-downloaded code on the host and is a non-trivial risk. Because no package source/homepage is supplied in the registry metadata, the origin and integrity of that npm package cannot be verified from the skill bundle alone.
Credentials
The SKILL.md and api-notes reference an API key (example sk-xxxxx), the MINIMAX_API_KEY env var, and a config file (~/.mmx/config.json), but the skill metadata lists no required env vars or config paths. Requesting API credentials and local config access is reasonable for a CLI that calls a remote service, but it should be declared; the omission is a mismatch that could hide credential exfiltration risks.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (default) which is normal. The main persistence risk comes from installing the external npm package, not from the skill metadata itself.
What to consider before installing
Proceed with caution. The SKILL.md instructs installing and running a third-party npm package and requires an API key and local config, but the skill metadata does not declare those requirements — this mismatch is suspicious. Before installing: (1) verify the mmx-cli package on the npm registry and its source repository (check publisher, recent changes, and whether it’s the official MiniMax release), (2) do not supply a high‑privilege or production API key; use a limited-scope key or test account, (3) inspect the package code (or run it in a disposable sandbox/container) to see how it stores/transmits keys (it references ~/.mmx/config.json and MINIMAX_API_KEY), and (4) prefer an official homepage or vendor documentation — the registry entry lacks a homepage. If you can provide the npm package URL or the package source repo, I can do a more precise assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk97bpx7jh2gfagxm9hxft3nvsd84j3dv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.