ClawHub

MiniMax Coding Plan

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MiniMax search and image-analysis wrapper, with expected external API use and credential handling.

Install this only if you want MiniMax-native search or image understanding. Verify that your MiniMax API key, OAuth profile, and any MINIMAX_API_HOST setting are intentional, and avoid sending private screenshots, documents, internal URLs, or confidential images unless external MiniMax processing is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'req' from os.environ.get (line 110, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
return image_source
    if image_source.startswith(("http://", "https://")):
        req = urllib.request.Request(image_source, headers={"User-Agent": "OpenClaw-MiniMax-Plan/1.0"})
        with urllib.request.urlopen(req, timeout=30) as resp:
            data = resp.read()
            mime = detect_mime(image_source, resp.headers.get("Content-Type", ""))
        encoded = base64.b64encode(data).decode("utf-8")
Confidence
96% confidence
Finding
with urllib.request.urlopen(req, timeout=30) as resp:

Tainted flow: 'req' from os.environ.get (line 110, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
    )
    try:
        with urllib.request.urlopen(req, timeout=60) as resp:
            return json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        body = exc.read().decode("utf-8", errors="replace")
Confidence
84% confidence
Finding
with urllib.request.urlopen(req, timeout=60) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes a local shell wrapper that can access environment variables, local files, and the network, yet it declares no permissions or trust boundaries. This creates a transparency and policy-enforcement gap: users and hosts may not realize the skill can read credentials, inspect local paths, and send data to external services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to send search queries, prompts, image files, or image URLs to MiniMax, but it does not warn that these inputs may leave the local environment and be processed by a third-party service. In context, this is more dangerous because image understanding commonly involves screenshots or documents that may contain sensitive internal data, making accidental data exfiltration plausible.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The skill states it will automatically use MINIMAX_API_KEY or discover OAuth profiles from common local locations, but it does not disclose this automatic credential use to the user. While this is not direct credential exfiltration by itself, it can surprise operators and cause unintended account usage, billing, or policy violations when the skill silently authenticates with locally available secrets.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code will fetch remote images and transmit image content plus prompts to a third-party API without any built-in disclosure, confirmation, or safety gating. In an agent setting, this increases the chance of unintended data egress, especially if users provide sensitive local files, data URLs, or internal-only image endpoints.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal