Skillv1.0.0

ClawScan security

minimax-image · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 6:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (calling the MiniMax image-generation API) and only requests the MiniMax API key; there are no unexpected endpoints, installs, or broad credential demands.
Guidance: This skill appears to do what it claims: a simple Python client for MiniMax image generation that needs your MiniMax API key. Before installing: (1) Confirm you trust the MiniMax endpoint (api.minimaxi.com) and that your API key is a scoped key (not a broadly privileged secret). (2) Be aware returned image URLs expire (SKILL.md says 24 hours). (3) The repository source is 'unknown' and has no homepage—if you require provenance, request a published source or vendor link. (4) Install only within an environment where storing MINIMAX_API_KEY as an env var is acceptable (avoid putting long-lived secrets in shared CI logs). (5) Note the minor metadata mismatch: _meta.json lists curl though the script uses Python requests; this is low risk but worth noting.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, _meta.json, and the script all describe and implement an image-generation client for MiniMax using the same API host (api.minimaxi.com) and the expected MINIMAX_API_KEY. The required functionality (text->image and image->image) is implemented and matches the documented models and options.
Instruction Scope: okRuntime instructions only direct the agent/user to set MINIMAX_API_KEY, invoke the provided Python script, and call the documented API endpoint. The SKILL.md and script do not attempt to read unrelated files, other environment variables, or send data to third-party endpoints beyond the stated MiniMax API.
Install Mechanism: noteThere is no install spec (instruction-only + a bundled script). requirements.txt only lists 'requests'. _meta.json lists python3 and curl, but the bundled script uses Python 'requests' (curl is not used). This mismatch is minor but worth noting; there are no downloads from untrusted URLs or extraction of archives.
Credentials: okThe only credential required is MINIMAX_API_KEY (declared as primaryEnv). No other tokens, secrets, or unrelated credentials are requested. This is proportionate for a hosted image-generation API client.
Persistence & Privilege: okalways is false and the skill does not request system-wide persistence or modification of other skills. It is user-invocable and uses the normal autonomous-invocation default; nothing else grants elevated or permanent privileges.