by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's declared purpose (a coding assistant) is plausible, but the package/docs reference an external MiniMax API key, persistent config/log paths, and an install that will fetch code from GitHub — none of which are declared in the skill's required env/config metadata, so there are unexplained mismatches and potential data-exfiltration/storage concerns.
评估建议
This skill behaves like a powerful local coding assistant (can read/write files and run shell commands) and its docs indicate it uses an external MiniMax API key and keeps detailed logs — but the registry metadata doesn't declare required credentials or config paths. Before installing: (1) review the upstream GitHub repo (https://github.com/MiniMax-AI/Mini-Agent.git) and the npm package contents to confirm what code will run; (2) verify how and where it stores logs/config and whether logs may in...详细分析 ▾
ℹ 用途与能力
The name/description (programming assistant with file and command execution) aligns with the tools and capabilities described (read/write/edit files, run bash). Requiring a 'mini-agent' binary and offering to install a Node package from GitHub is consistent with delivering that tool. However, documentation repeatedly references an external MiniMax API key and API endpoint (config.yaml / MINIMAX_API_KEY), but the skill metadata does not declare any required env vars or credentials — an inconsistency that should be justified.
⚠ 指令范围
The runtime instructions and examples explicitly instruct reading/writing arbitrary files and executing arbitrary shell commands across user paths (e.g., /home/pi, /var/log), and describe persistent logs that record full requests and tool calls (which can include user inputs and secrets). Those behaviors are within the broad scope of a code-assistant but are high-risk operations; the SKILL.md and docs also reference inspecting other skills ('get_skill'), which can expose other skills' contents. The skill's docs instruct accessing specific config and log paths (~/.mini-agent/ and /home/pi/.openclaw/agents/xiaoma) even though these paths were not declared in the registry metadata.
ℹ 安装机制
The install spec is a Node package installed with a command that clones from GitHub (git+https://github.com/MiniMax-AI/Mini-Agent.git). GitHub is a common host, but the skill package included no code files to audit locally — the actual runtime code will be pulled from that repository at install time and was not scanned. 'uv tool install' is a non-standard installer command in this context; installing arbitrary code from a remote repo is a moderate risk and should be inspected before running.
⚠ 凭证需求
The skill metadata lists no required environment variables or credentials, yet the docs/config explicitly require a MiniMax API key (api_key / MINIMAX_API_KEY) and an api_base. That mismatch is problematic: the skill expects a secret but does not declare it. Additionally, logs described will record requests/responses and tool invocations (potentially capturing secrets). The absence of declared credentials in metadata reduces transparency about what sensitive information the skill will need or might capture.
✓ 持久化与权限
The skill does not request 'always: true' and does not claim to modify other skills or global agent settings. It does create and use persistent config and log directories under ~/.mini-agent/, which is normal for a tool of this type but worth auditing because logs may include sensitive request contents.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/2
Initial release
● 可疑
安装命令 点击复制
官方npx clawhub@latest install mini-agent
镜像加速npx clawhub@latest install mini-agent --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制