ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiniMax Token Plan Tool

A lightweight MiniMax Token Plan Tool skill that directly calls official MCP APIs using pure JavaScript. No external MCP servers. No subprocess invocation. D...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 635 · 6 current installs · 6 all-time installs
byYorch@yorch233
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a Node.js tool that directly calls MiniMax Token Plan APIs. It declares node and MINIMAX_API_KEY / MINIMAX_API_HOST, which are exactly what a direct-API implementation needs. There are no unrelated credentials, binaries, or configuration paths requested.
Instruction Scope
SKILL.md and the JS implement the three documented tools (web_search, understand_image, remains). The instructions explicitly document how to run the node script, how local images are handled (converted to base64 and uploaded), and warn about outbound network/data-leak risk. The runtime actions (DNS resolution, HTTP(S) requests, file reads for local images) are consistent with the described features and do not reference or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec; this is instruction-plus-script only. No code is downloaded from external URLs during install and no archives are extracted. This is the lowest-risk install model and matches the skill's stated 'pure JavaScript, no external server' claim.
Credentials
Only MINIMAX_API_KEY (primary) and optional MINIMAX_API_HOST are required, which is proportionate for a direct API client. The code only reads these environment variables and does not request unrelated secrets or access to other services.
Persistence & Privilege
The skill does not request always:true and has no install steps that modify other skills or system-wide settings. It runs as an invoked Node.js script and does not persist elevated privileges or auto-enable itself.
Assessment
This skill appears to implement exactly what it claims: a Node.js client for MiniMax Token Plan APIs. Before installing: 1) Only provide a Token Plan API key (not broader credentials), and prefer a key with limited scope; 2) Understand that local images submitted will be uploaded to MiniMax—do not send sensitive or regulated images; 3) MINIMAX_API_HOST is limited to the two official hosts per SKILL.md—verify you use the correct host for your token; 4) If you require higher assurance, review the full minimax_token_plan_tool.js source (it performs DNS checks and blocks private IPs for remote image fetches) and consider running it in a sandboxed environment or with a service account whose key can be rotated. Overall the skill is coherent and proportional to its stated purpose.
minimax_token_plan_tool.js:24
Environment variable access combined with network send.
!
minimax_token_plan_tool.js:386
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.5
Download zip
latestvk9706mw2ahj6nz5fa8bv0bcv2x83m3v9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🪙 Clawdis
Binsnode
EnvMINIMAX_API_KEY, MINIMAX_API_HOST
Primary envMINIMAX_API_KEY

SKILL.md

MiniMax Token Plan Tool

Requires a Token Plan API Key Subscribe at: MInimax Token Plan (China Mainland) or MInimax Token Plan (Global)

A lightweight MiniMax Token Plan Tool skill that directly calls official APIs using pure JavaScript. No external MCP servers.

Designed for minimal overhead and fast integration within OpenClaw.

Features

This skill provides three native capabilities of MiniMax Token Plan:

1. minimax_web_search

Web search powered by MiniMax Token Plan API.

2. minimax_understand_image

Vision-language image understanding via MiniMax VLM.

3. minimax_token_plan_remains

Query remaining Token Plan usage and quota information.

Architecture

  • Pure JavaScript implementation
  • Direct HTTPS API calls
  • No MCP server runtime required
  • No external tool dependency
  • Minimal resource usage

Configuration

Default recommendation: put MINIMAX_API_KEY and MINIMAX_API_HOST in ~/.openclaw/.env.

# ~/.openclaw/.env
MINIMAX_API_KEY="sk-your-key"

# China Mainland
MINIMAX_API_HOST="https://api.minimaxi.com"

# or Global
MINIMAX_API_HOST="https://api.minimax.io"

OpenClaw can load these values as the default environment for this Skill. If you update ~/.openclaw/.env, restart OpenClaw or the gateway process if the new values are not picked up immediately. Only these two official hosts are supported.

Use a matching Token Plan key for the selected host:

Optional API Host

# China Mainland
export MINIMAX_API_HOST="https://api.minimaxi.com"

# or Global
export MINIMAX_API_HOST="https://api.minimax.io"

Only https://api.minimaxi.com and https://api.minimax.io are accepted. If MINIMAX_API_HOST is not set, the script defaults to https://api.minimaxi.com.

Tool Discovery

Execute minimax_token_plan_tool.js with environment variable MINIMAX_API_KEY and optional MINIMAX_API_HOST to dynamically register these tools:

node minimax_token_plan_tool.js tools

Output format:

{
  "tools": [
    {
      "name": "minimax_web_search",
      "description": "...",
      "inputSchema": { ... }
    },
    {
      "name": "minimax_understand_image",
      "description": "...",
      "inputSchema": { ... }
    },
    {
      "name": "minimax_token_plan_remains",
      "description": "...",
      "inputSchema": { ... }
    }
  ]
}

Tool 1 - minimax_web_search

Purpose

Real-time web search using MiniMax Token Plan search API.

CLI Invocation

node minimax_token_plan_tool.js web_search "<query>"

Example:

node minimax_token_plan_tool.js web_search "OpenAI GPT-5 release date"

Input Schema

{
  "query": "string"
}

Output Format

Success:

{
  "success": true,
  "query": "...",
  "results": [
    {
      "title": "...",
      "link": "...",
      "snippet": "...",
      "date": "..."
    }
  ],
  "related_searches": []
}

Error:

{
  "error": "error message"
}

Tool 2 - minimax_understand_image

Purpose

Image understanding using MiniMax Token Plan VLM API. Only mainstream image formats are supported (for example: JPEG/JPG, PNG, WebP, and GIF).

Supports:

  • HTTP / HTTPS image URLs
  • Local file paths
  • @localfile.jpg shorthand

Local files are automatically converted to base64 data URLs. Remote image URLs are fetched by this tool and then converted to data URLs before being sent to the MiniMax API. Remote image fetching is restricted to public HTTP/HTTPS targets and rejects localhost, private-network addresses, unsupported ports, and excessive redirects.

Security Notice

This tool requires outbound network access. If a local image is provided, its content is transmitted to the remote MiniMax API for processing, which introduces a potential risk of local image data leakage. Do not submit sensitive, private, or regulated images unless you fully accept this risk.

CLI Invocation

node minimax_token_plan_tool.js understand_image <image_source> "<prompt>"

Examples:

Remote image:

node minimax_token_plan_tool.js understand_image https://example.com/image.jpg "Describe this image"

Local image:

node minimax_token_plan_tool.js understand_image ./photo.png "What objects are visible?"

With @ prefix:

node minimax_token_plan_tool.js understand_image @photo.png "Summarize the scene"

Input Schema

{
  "image_source": "string",
  "prompt": "string"
}

Output Format

Success:

{
  "success": true,
  "prompt": "...",
  "image_source": "...",
  "analysis": "model response"
}

Error:

{
  "error": "error message"
}

Tool 3 - minimax_token_plan_remains

Purpose

Query remaining Token Plan usage through the MiniMax open platform remains endpoint.

CLI Invocation

node minimax_token_plan_tool.js remains

Input Schema

{}

Output Format

Success:

{
  "success": true,
  "remains": {
    "...": "provider response"
  }
}

Error:

{
  "error": "error message"
}

Note:

  • All times are in UTC+0. Convert them based on the user's local region.
  • For all models, MiniMax-M* uses a 5-hour period. Other generative models use a 1-day period.
  • remains_time and weekly_remains_time are formatted as DD:HH:MM:SS.
  • *_quota = 0 means the current Token Plan subscription does not include that model.

Official Recommendation

This Skill is a lightweight JavaScript implementation built on top of the official MiniMax APIs. For best compatibility and long-term support, the official MCP is recommended: MiniMax-Coding-Plan-MCP.

For speech synthesis, image generation, and video generation, the official Skill is recommended: Minimax-Multimodal-Toolkit.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…