Back to skill
Skillv1.0.0
ClawScan security
web-search-minimax · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 12, 2026, 11:49 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely does what it claims (runs a Node script that calls a Minimax search API), but the package metadata omits the required API credential and there is no authoritative homepage or publisher information — this mismatch and lack of provenance are concerning.
- Guidance
- This skill appears to simply POST search queries to https://api.minimaxi.com and return formatted results, which is consistent with its description and script. However: (1) the registry metadata incorrectly lists no required env vars while the script and SKILL.md require MINIMAX_API_KEY — treat that as a red flag for sloppy or incomplete packaging; (2) the publisher and homepage are missing, so you have no provenance for the API provider (verify the domain and the provider's reputation before supplying a real API key); (3) queries are sent to an external service, so avoid sending PII, secrets, or confidential queries. If you decide to use it, create or use a limited-scope API key (rotate/delete it after testing) and verify that the API host is legitimate and its privacy/terms meet your needs.
Review Dimensions
- Purpose & Capability
- concernThe skill name/description match the included script: it performs web searches via a Minimax Coding Plan Search API. However, registry metadata lists no required environment variables while both SKILL.md and scripts/search.cjs require MINIMAX_API_KEY. That metadata omission is an incoherence the user should notice.
- Instruction Scope
- noteSKILL.md instructs the agent to run the included Node script with a query and documents that the API key is read from MINIMAX_API_KEY and that requests are sent to https://api.minimaxi.com/v1/coding_plan/search. The runtime instructions and the script are consistent with each other and confined to calling that external API and printing results; they do not access other files or secrets. The main scope issue is the undocumented API key in the registry metadata.
- Install Mechanism
- okNo install spec (instruction-only plus one script). No downloads or archive extraction. Only requirement is the node binary, which is proportionate for a .cjs script.
- Credentials
- concernThe code requires a single credential MINIMAX_API_KEY (read from environment) but the registry metadata claims none. Requiring an API key is expected for an external search API, but the metadata omission is misleading. Also the skill will send whatever query text to an external host (api.minimaxi.com), so users should avoid sending sensitive data unless they trust that provider.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or system config, and only executes on explicit invocation (or autonomous invocation per platform defaults). No elevated persistence is requested.