ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ali Minimax Toolkit

v1.0.0

MiniMax multimodal generation via API. Use when user wants voice, music, image, image-to-image, or video generation with MiniMax. Supports TTS, music, image...

0· 48·0 current·0 all-time
by@yuan-huicheng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill claims to provide MiniMax multimodal generation (TTS, music, image, video) and the code indeed implements API calls to api.minimaxi.com. Requiring a MINIMAX_API_KEY is coherent with the stated purpose. However the registry metadata declared no required environment variables or primary credential while SKILL.md and the Python code require MINIMAX_API_KEY (and optionally MINIMAX_API_HOST and MINIMAX_OUTPUT_DIR). This metadata omission is an incoherence.
!
Instruction Scope
SKILL.md and scripts instruct the agent to read MINIMAX_API_KEY, optionally MINIMAX_API_HOST, and FEISHU_CHAT_ID and to write generated files to minimax-output/. The instructions also reference a PowerShell script and a requirements.txt/ffmpeg installation for some workflows, but those files are not present in the manifest (scripts/minimax-api.ps1 is referenced as 'preserved' but not included; no requirements.txt present). The generate_and_send script prints Feishu send instructions but does not itself perform Feishu network calls (it expects a separate feishu-media skill). The agent will therefore access environment variables and network endpoints not declared in the registry metadata — this is scope creep and a transparency issue.
Install Mechanism
There is no install spec (instruction-only install), which is lower risk from an installer perspective. The skill includes Python scripts that run with only the standard library; network calls are made via urllib. However SKILL.md and references mention pip install -r requirements.txt and ffmpeg, despite no requirements.txt in the bundle — this inconsistency could confuse users and lead to accidental installs from other sources.
!
Credentials
The code requires MINIMAX_API_KEY (expected for calling the MiniMax API). But the registry declared no required env vars/credentials; SKILL.md explicitly expects MINIMAX_API_KEY (format 'sk-...') and optionally FEISHU_CHAT_ID and MINIMAX_API_HOST. The undeclared required secret (API key) is a material omission. FEISHU_CHAT_ID is not a secret but the skill's documentation ties into a separate feishu-media skill — supplying a chat ID may cause the agent to prepare data for external delivery. Also _meta.json contains a different ownerId/slug than the registry metadata, which raises provenance concerns.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide configuration. It writes output files into a local minimax-output/ directory (normal for generated media). The skill can be invoked autonomously (disable-model-invocation is false), which is the platform default; that is not itself flagged, but combined with the undeclared API key requirement increases risk.
What to consider before installing
What to check before installing: - Do not provide your MINIMAX_API_KEY until you verify the publisher and origin. The code requires MINIMAX_API_KEY (it will fail without it), but the registry metadata omits this — that mismatch is suspicious. - Confirm the skill's owner/provenance: _meta.json in the bundle shows a different ownerId/slug than the registry listing. Ask the publisher for a canonical source (GitHub repo or homepage) and for corrected metadata. - Note missing files referenced in docs: SKILL.md/refs mention requirements.txt and a PowerShell script that are not present. Ask the author to include or remove these references. - The scripts call only api.minimaxi.com (no obfuscated endpoints), and use only the Python stdlib; still, treat the API key as a sensitive secret — if you must test, use a scoped/test key and run in an isolated environment. Rotate the key afterwards. - If you plan to use Feishu delivery, verify the separate feishu-media skill and avoid exposing other credentials. - If uncertain, request the publisher to fix metadata (declare MINIMAX_API_KEY as required), provide a trusted homepage/repo, and explain the missing files before trusting the skill with live credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bez4bhn8b8sq44cz5n14twn83vk33

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments