by 安全扫描
OpenClaw
可疑
medium confidenceThe SKILL.md describes a MiniMax token checker that needs a Python script and an API key, but the skill bundle contains no code and the registry metadata does not declare the required credentials — the pieces don't line up.
评估建议
Do not install or run this skill yet. The SKILL.md expects you to run minimax_token.py and to install a systemd service, but the published bundle contains no script or service file and the registry metadata does not declare the required MINIMAX_API_KEY. Ask the publisher for the missing source files and the exact service unit; verify the service unit and Python script content before running. Confirm the MiniMax API endpoints used are legitimate, and if you test it, run in an isolated account or ...详细分析 ▾
⚠ 用途与能力
The description and SKILL.md both claim the skill queries MiniMax API quotas, supports scheduling and Telegram notifications — that purpose is plausible and the listed dependencies (python3, requests, curl) are proportional. However the package contains no executable/script (minimax_token.py) or service file even though SKILL.md instructs running them. The skill cannot function as described without those missing files.
ℹ 指令范围
Runtime instructions are narrowly scoped to calling the MiniMax API and optionally sending Telegram messages, installing requests, and setting up a user systemd service. They do not ask for unrelated system data. But the instructions assume running a local Python script and using environment variables that are not declared in the registry metadata — a mismatch that permits unexpected behavior if the missing code were supplied later.
✓ 安装机制
There is no install spec (instruction-only), which is lower risk. SKILL.md recommends pip3 install requests and standard system utilities; nothing instructs downloading arbitrary archives or executing code from an untrusted URL. The main risk is the missing script — the instructions expect you to add/run files not included.
⚠ 凭证需求
SKILL.md requires MINIMAX_API_KEY (mandatory) and optionally TELEGRAM_BOT_TOKEN, TELEGRAM_CHAT_ID, OPENCLAW_LOG_DIR. The registry metadata, however, lists no required environment variables or primary credential. That discrepancy is significant: the skill needs a secret (MiniMax API key) to operate but the skill metadata does not declare it, preventing policy/permission reviewers from noticing required secrets.
✓ 持久化与权限
The skill does not request always: true and defaults allow user invocation and autonomous invocation (normal). The instructions include setting up a user-level systemd service — this creates a persistent user job that will run with whatever environment the user configures (including the API key). That's expected for a monitoring tool but the user should review the actual service file (not provided) before enabling it.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.2.12026/3/11
Version 2.2.1 - No code or documentation changes detected in this release. - The skill remains functionally and descriptively the same as the previous version.
● Pending
安装命令 点击复制
官方npx clawhub@latest install minimax-token
镜像加速npx clawhub@latest install minimax-token --registry https://cn.clawhub-mirror.com
技能文档
查询 MiniMax API 的 Token 剩余配额,支持定时检查和 Telegram 通知。
功能特性
- ✅ 查询 MiniMax API 令牌 剩余配额
- ✅ 支持定时自动检查(每小时)
- ✅ 通过 Telegram 发送通知
- ✅ 支持环境变量配置
- ✅ systemd 服务支持
依赖
# Python 依赖
pip3 install requests# 系统依赖
# - curl (用于 API 请求)
# - python3
环境变量
| 变量 | 说明 | 必需 |
|---|---|---|
MINIMAX_API_KEY | MiniMax API Key | 是 |
TELEGRAM_BOT_TOKEN | Telegram Bot Token | 否 |
TELEGRAM_CHAT_ID | Telegram Chat ID | 否 |
OPENCLAW_LOG_DIR | 日志目录 (默认 ~/.openclaw/logs) | 否 |
使用方法
1. 配置环境变量
# 方式一: 环境变量
export MINIMAX_API_KEY="your_api_key"
export TELEGRAM_BOT_TOKEN="your_bot_token"
export TELEGRAM_CHAT_ID="your_chat_id"# 方式二: 运行参数
python3 minimax_token.py --check --api-key "your_api_key"
2. 单次检查
python3 minimax_token.py --check
3. 启动定时监控
python3 minimax_token.py --monitor
4. 安装为系统服务 (Linux)
# 复制 service 文件
cp minimax-token.service ~/.config/systemd/user/# 启用服务
systemctl --user enable minimax-token
systemctl --user start minimax-token
# 查看日志
journalctl --user -u minimax-token -f
配置说明
所有敏感配置都通过环境变量读取,确保安全:
- API 键:
MINIMAX_API_KEY - Telegram Bot:
TELEGRAM_BOT_TOKEN - Chat ID:
TELEGRAM_CHAT_ID
输出示例
📊 MiniMax-M2.5 配额状态• 剩余时间: 50小时 30分钟
• 本周期: 已用 150/1000 次
• 剩余: 850 次
文件结构
minimax-token/
├── SKILL.md
└── scripts/
├── minimax_token.py # 主脚本
└── minimax-token.service # systemd 服务配置
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制