Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiniMax Coding Plan
v0.1.1MiniMax Coding Plan native web search and image understanding for OpenClaw. Use when the user specifically wants MiniMax-native search or image analysis, or...
⭐ 0· 531·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code implements web_search and understand_image endpoints against a MiniMax API host, matching the skill's stated purpose. It also attempts to obtain a MiniMax API key from MINIMAX_API_KEY or from OpenClaw auth profile files, which is reasonable for an API client. However the skill metadata declared no required environment variables even though MINIMAX_API_KEY is used at runtime.
Instruction Scope
Runtime behavior is mostly within scope (sending queries and image data to the MiniMax API). Concerns: the code will read multiple candidate auth-profiles.json files from OpenClaw agent dirs (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, and /home/admin/.openclaw). While it only extracts specific fields for a minimax profile, scanning those locations can expose other sensitive agent configuration files and tokens to the skill's logic. The script also fetches remote image URLs (downloading arbitrary user-supplied URLs) and base64-uploads image content to the external API — expected for image understanding but important to be aware of.
Install Mechanism
No install spec; the skill is instruction/code-only and runs the included Python script. Nothing is downloaded at install time and no additional packages or network installers are invoked.
Credentials
Registry metadata claims no required env vars, but the runtime uses MINIMAX_API_KEY and several OpenClaw environment variables (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME) to find auth profiles. Requesting access to agent auth profiles (which may contain other credentials) is broader than the skill metadata indicates and should have been declared and justified.
Persistence & Privilege
The skill does not request always:true, does not write to system-wide configs, and does not persist new credentials. It runs on demand and does not change other skills' configurations.
What to consider before installing
This skill appears to perform MiniMax web search and image analysis by calling an external API (DEFAULT_HOST https://api.minimaxi.com). Before installing:
- Be aware the script will upload image contents (base64) and your queries to that external host.
- The code will look for an API key in MINIMAX_API_KEY or by reading OpenClaw auth-profiles.json files from several locations (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, /home/admin/.openclaw). Confirm you are comfortable with the skill reading those files (they can contain other secrets).
- The skill's registry metadata does not declare MINIMAX_API_KEY or the auth-profile access; that mismatch is a red flag. Ask the author to document required env vars and why those paths are searched.
- Because no homepage or publisher information is provided and the API host is external, verify the trustworthiness of the MiniMax API endpoint before sending sensitive images or data.
- If you decide to use it: supply MINIMAX_API_KEY explicitly in a controlled environment, or ensure auth-profiles.json files do not contain unrelated secrets; consider network monitoring or running in a sandbox if you need to audit what is sent.
I have moderate confidence in this assessment; providing the skill's author or a canonical homepage, or confirming the API host is legitimate and the exact format of auth-profiles.json, would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk971h6aacagk8xt7pa961fzkah82fyc4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis