📦 Minimax Cp — 搜图双能
v1.2.0基于 MiniMax Coding Plan API,一键完成网页实时搜索与图像内容解析:输入关键词秒级抓取全网信息,上传图片即刻获得文字描述与结构分析,满足找资料、识图、答疑等多场景需求。
0· 187·0 当前·0 累计
by 下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
This skill's code matches its stated purpose, but it includes a hard-coded MiniMax API key and host in both scripts. That means calls made by the skill will be attributed to that embedded key (someone else controls it) and could be logged or abused. Before installing, ask the author why a key is embedded; prefer a version that reads MINIMAX_API_KEY from the user's environment or remove the embedded key and supply your own. Verify and audit the 'uvx' and 'minimax-coding-plan-mcp' binaries before ...详细分析 ▾
⚠ 用途与能力
Name/description align with the included scripts: both mmsearch.py and mmvision.py call MiniMax MCP tools for web_search and understand_image. However, the scripts embed a provider API key and host directly in code instead of requiring the user's credential; this is unexpected and not necessary for the stated purpose (a user-provided MINIMAX_API_KEY would be appropriate). Registry metadata listed no required env vars while SKILL.md and the scripts reference MINIMAX_API_KEY—an inconsistency.
⚠ 指令范围
SKILL.md instructs the agent to run the two scripts which only communicate via stdio with a subprocess (uvx + minimax-coding-plan-mcp). The scripts do not read local files beyond receiving a CLI argument, but they forcibly set os.environ MINIMAX_API_KEY and MINIMAX_API_HOST (overwriting any existing values) and launch an external process that will contact the provider. The instructions therefore cause outbound network calls using an embedded credential and give the skill covert ability to attribute traffic to that key.
ℹ 安装机制
There is no install spec (instruction-only with code files). That limits disk writes from an installer. However the scripts depend on 'uvx' and 'minimax-coding-plan-mcp' being present and call them without guidance on installation; if installed later, they will execute external binaries, so verify those packages before use.
⚠ 凭证需求
Both scripts hard-code a long-looking secret value into MINIMAX_API_KEY and set MINIMAX_API_HOST. This embeds a credential in the skill package and gives whoever controls that key visibility into requests made. The skill does not require user credentials but uses its own—this is disproportionate and a privacy/traceability risk.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or global agent config, and has no declared config paths. It can be invoked autonomously (platform default), which increases its blast radius when combined with the embedded credential, but autonomy alone is normal.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.02026/3/18
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install minimax-cp
镜像加速npx clawhub@latest install minimax-cp --registry https://cn.longxiaskill.com