Back to skill
Skillv1.0.0
ClawScan security
understand-image-minimax · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 12, 2026, 11:46 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it claims (analyze images via a Minimax VLM API) but metadata omits a required API key, and the code will read local files and upload image data to an external host — a privacy/exfiltration risk and a metadata/instruction incoherence.
- Guidance
- Before installing, note three things: (1) The script expects MINIMAX_API_KEY in the environment but the registry metadata doesn't list it — the skill will fail or behave insecurely unless you set that key. (2) When invoked it will read local image files you pass (or download URLs) and send the full image (base64) to https://api.minimaxi.com; do not allow it to automatically run on sensitive images or folders. (3) Verify you trust the Minimax service and that the API key has appropriate, limited permissions; consider running the skill in a sandboxed environment, reviewing the included script, and ensuring the agent won't auto-invoke the skill on images you don't intend to upload. If you want tighter assurance, ask the publisher to update registry metadata to declare MINIMAX_API_KEY and provide a trustworthy homepage/source for the API.
Review Dimensions
- Purpose & Capability
- noteName/description match the code: it sends images and a prompt to a Minimax VLM endpoint. Requiring the node binary is reasonable. However, the SKILL.md and code require MINIMAX_API_KEY but the registry metadata lists no required env vars — this is an inconsistency.
- Instruction Scope
- noteSKILL.md and the script constrain behavior to converting an input image (URL, local file, or data URL) to base64 and POSTing it with a prompt to https://api.minimaxi.com/v1/coding_plan/vlm. The SKILL.md also instructs agents to always use this skill for images, which could cause the agent to send user-supplied or local images automatically.
- Install Mechanism
- okNo install spec; the skill is instruction + a local Node script that runs with the node binary. Nothing is downloaded or extracted at install time.
- Credentials
- concernThe script and SKILL.md require MINIMAX_API_KEY but the registry metadata did not declare any required env vars — a mismatch. The skill will transmit full image data (including local files converted to base64) to a third-party API, which is proportionate to an image-analysis skill but poses privacy risk; ensure the API key scope and trustworthiness of api.minimaxi.com.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or modify other skills. It runs only when invoked.