Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
video-generation-minimax
v1.0.0视频生成技能,使用 MiniMax 视频生成 API 创建视频
⭐ 1· 1.2k·1 current·1 all-time
by深柒@xbos1314
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the code: the script calls a MiniMax video-generation API. However the registry metadata lists no required environment variables while both SKILL.md and scripts/video_gen.py require MINIMAX_API_KEY. Also SKILL.md claims generated videos are 'automatically downloaded to {WorkspaceDir}/video-generation/ and then sent to the user' but the script only writes a file to the current working directory (or --output path) and contains no logic to move files to a workspace directory or to transmit them to the user.
Instruction Scope
Runtime instructions are limited to calling the MiniMax API and downloading the produced file. SKILL.md instructs installing requests and setting MINIMAX_API_KEY (consistent with code). The instructions' claim that the agent will place outputs in {WorkspaceDir}/video-generation/ and send them to users is not implemented in the script, giving the agent broader implied behavior than the code actually performs. The 'subject' mode accepts face images — a privacy consideration not emphasized in the SKILL.md.
Install Mechanism
No install spec; this is instruction+script only. The only runtime dependency is python3 and Python package 'requests' (requested), which is proportionate for an HTTP client script. The script makes network calls only to the declared API host and to returned download URLs.
Credentials
The script requires a single API credential MINIMAX_API_KEY (read from environment) but the skill manifest/registry metadata declared no required env vars. This mismatch means the catalog entry understates the credential needed. Requesting one API key is reasonable for this purpose, but it must be declared so users can make an informed decision.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It runs as an on-demand script and saves output locally; no persistent elevated privileges are requested.
What to consider before installing
Before installing: (1) Be aware the skill requires an API key MINIMAX_API_KEY — the registry metadata does not declare this, so you must provide it manually. Only use a key with limited scope and from a trusted MiniMax account. (2) The SKILL.md claims outputs will be placed in {WorkspaceDir}/video-generation/ and sent to users; the included script instead saves to the current directory or the --output path and does not implement sending — treat the 'automatic send' claim as incorrect. (3) The 'subject' mode accepts face images; consider privacy and consent implications before uploading or pointing to pictures of real people. (4) Verify the MiniMax endpoint/domain (api.minimaxi.com / platform.minimaxi.com) is legitimate for the provider you expect. (5) Because the script downloads a file from a URL returned by the API, run it in a sandbox or isolated environment if you are concerned about untrusted content. If you want to proceed, update the registry metadata to declare MINIMAX_API_KEY and optionally correct the SKILL.md to match the actual file save/send behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk975fx3n4m653yr893cdm10yex82tf98
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎬 Clawdis
Binspython3