ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Minimax Coding Plan Tool

v1.0.4

MiniMax Token Plan工具 - 支持图片生成、图像理解、语音合成和视频生成。直接调用MiniMax官方API,纯JavaScript实现,无需外部MCP服务器。

0· 69·0 current·0 all-time
by@yongjie666888
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md advertises five features (image gen, image understanding, TTS, video generation, web search) but the shipped code only implements web_search, understand_image, and generate_image. The README/header even claims the tool provides only two tools in places — inconsistent claims about capabilities. Required binary (node) and declared env MINIMAX_API_KEY match the implemented code, but the declared scope in the doc (speech/video) is not implemented in code, which is misleading.
!
Instruction Scope
The runtime instructions explicitly tell users to supply an OpenClaw OAuth token (sk-cp-...) as the API key and show a full 'openclaw config set' example with a long sk-cp token. The code will send that token in an Authorization header to api.minimaxi.com. The tool reads local image files (converts to base64) and will POST that data to the external API — this is expected for image analysis, but it also enables exfiltration of any local file with a supported image extension (an attacker could rename sensitive files to have .png etc.). The SKILL.md and code do not instruct reading other unrelated system paths, but the explicit guidance to use a platform OAuth token is sensitive and risky.
Install Mechanism
There is no install script or remote download — this is an instruction-only skill with a single JS file. Required runtime is node. No external installers or archives are fetched by the skill itself.
!
Credentials
The skill requires a single env var MINIMAX_API_KEY (declared primary credential). However the documentation instructs using the user's OpenClaw OAuth token (sk-cp-...), which is a highly privileged platform credential. It's unclear whether a platform OAuth token is necessary or whether a separate MiniMax-specific API key could be used. Requesting that platform token and sending it to an external host is disproportionate unless Token Plan truly requires it. Additionally, the SKILL.md includes a hardcoded example token string, which is poor practice and potentially sensitive.
Persistence & Privilege
The skill does not request 'always: true' and does not appear to modify other skills or system-wide settings. It only requires the API key at runtime and will run as a normal user process.
What to consider before installing
This skill is inconsistent and requires caution. What to consider before installing or using it: - The documentation asks you to provide an OpenClaw OAuth token (sk-cp-...) and the code will send that token to api.minimaxi.com. Treat that token as highly sensitive; do not supply your platform OAuth token unless you explicitly trust the author and have confirmed that the Token Plan really requires platform tokens. - The SKILL.md advertises TTS and video features that are not implemented in the included code. Ask the author why those features are missing or whether you were given the correct release. - The tool will read local image files and convert them to base64 for upload. Do not point it at any files that contain secrets or sensitive data (you could accidentally exfiltrate credentials if you rename them to an image extension). - Metadata mismatches: the embedded _meta.json ownerId/version differ from the registry metadata — this can indicate repackaging or stale metadata. Verify the skill's author and origin before use. - If you want to test safely: run the code in a network-restricted sandbox and inspect outbound requests (ensure it only calls the intended api.minimaxi.com endpoints). Prefer creating a limited/minimally-privileged API key (not your main OpenClaw OAuth token) if the service supports it. - If you cannot confirm provenance or necessity of using an sk-cp token, do not provide your platform OAuth token; ask the publisher to provide an official MiniMax-specific API key flow or a privacy justification.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a3rgfftzps8mjn7zkbb5b2s83ga9q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧩 Clawdis
Binsnode
EnvMINIMAX_API_KEY
Primary envMINIMAX_API_KEY

Comments