by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared purpose (run MiniMax MCP searches and image analysis via mcporter) is plausible, but there are inconsistencies and risky behaviors (unsanitized shell commands, unclear credential handling, and the ability to submit arbitrary local files to an external service) that warrant caution before installing.
评估建议
This skill appears to do what it says, but exercise caution before installing or running it:
- mcporter install: The skill expects the 'mcporter' CLI (npm package). Only install mcporter if you trust its source; audit the npm package and its maintainers.
- API key handling: SKILL.md mentions a MiniMax API key but the manifest doesn't declare any required env vars. Ask or verify where the API key is stored (mcporter config file?) and who/what can access it.
- Local file exfiltration risk: The sk...详细分析 ▾
✓ 用途与能力
Name, description, and code align: the skill shells out to the 'mcporter' CLI to perform web_search and understand_image, and the manifest lists mcporter as the required binary/package. Requesting mcporter is coherent with the stated purpose.
⚠ 指令范围
SKILL.md and search.py allow submitting local file paths or URLs for image analysis. The code passes user-supplied strings directly into shell commands (subprocess.run with shell=True) without sanitization, which can enable shell/command injection. Also, sending arbitrary local paths to an external service can cause sensitive-file exfiltration if mcporter/transit is untrusted.
ℹ 安装机制
_install_ in _meta.json installs the npm package 'mcporter' globally. Installing an npm package is a moderate-risk mechanism (code pulled from the npm registry). This is expected for a tool that invokes an external CLI, but there is an inconsistency: the top-level metadata said 'No install spec — instruction-only', while _meta.json includes an install step. Verify the intended install behavior and the trustworthiness of the 'mcporter' package.
⚠ 凭证需求
SKILL.md mentions '首次使用需配置 MiniMax API Key(已在配置文件中设置)' (an API key is required), but the manifest declares no required environment variables or primary credential. The skill therefore expects secrets to be configured externally (e.g., in mcporter config files) but does not declare or document them clearly — an incoherence that can hide where keys are stored and who/what can access them.
✓ 持久化与权限
The skill does not request always:true or any special persistent privileges and does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not flagged on its own. No other privilege escalation indicators are present.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/25
Initial release of MiniMax MCP Search Skill. - Supports real-time web search with concise results (title, link, summary, date) via MiniMax MCP. - Enables image understanding for both local files and URLs in JPEG, PNG, or WebP formats. - Requires installation of mcporter and pre-configured MiniMax API Key. - Clear usage instructions and parameter descriptions provided for all tools.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install minimax-mcp-v2
镜像加速npx clawhub@latest install minimax-mcp-v2 --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制