by 安全扫描
OpenClaw
可疑
medium confidence该技能基本实现了其描述的功能(打开 MiniMax 计费页面并抓取套餐/用量信息),但代码还从页面中提取了类似 API key 的字符串,而 SKILL.md 中并未记录这一可能敏感且过度的行为。
评估建议
This skill will open a local browser and scrape the MiniMax billing page for plan/usage information. However, its code also searches the page text for API-key-like strings (regex for 'sk-cp-...') and will print/return any matches — a sensitive behavior that is not documented in SKILL.md. Before installing or running: 1) Inspect the script yourself or ask the publisher to explicitly disclose API-key extraction and whether keys are stored, transmitted, or logged. 2) If you want only plan/usage inf...详细分析 ▾
ℹ 用途与能力
The skill's stated purpose is to retrieve MiniMax plan/usage info; the script automates a browser to open the MiniMax billing page and scrape text, which is a plausible implementation. However, the code also searches for API keys (pattern sk-cp-...) which is not mentioned in the SKILL.md outputs — this extra capability should be explicitly documented.
⚠ 指令范围
SKILL.md instructs the user to run the provided script and describes returned fields (plan name, quota, usage); it does not mention extracting API keys. The script evaluates page DOM and runs regex to find API keys and returns/prints them. That is scope creep: the runtime instructions do not disclose that secrets visible in the page will be extracted and printed.
✓ 安装机制
No install spec in the registry; the script requires the third-party package Playwright and a browser runtime (the script prints a message to pip install/playwright install chromium). This is expected for browser automation and no arbitrary remote downloads or obscure installers are embedded in the skill bundle.
⚠ 凭证需求
The skill does not request environment variables, which is good, but it programmatically searches the page for API keys and prints them. Extracting and exposing API keys (or other secrets displayed in the page) is a sensitive action not justified or disclosed by the SKILL.md output list.
✓ 持久化与权限
The skill is not always-enabled and does not request persistent privileges or modify other skills or system-wide configuration. It runs as an on-demand local script and opens a visible browser instance (headful).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/11
- minimax-plan-checker 初始版本发布。 - 支持查询 MiniMax 平台的套餐详情、用量与账单信息。 - 提供浏览器自动获取与手动指引两种方式。 - 输出包含套餐名称、配额明细与使用统计。 - 若未登录,需用户先登录 MiniMax 账户。
● 可疑
安装命令
点击复制官方npx clawhub@latest install minimax-plan-checker
镜像加速npx clawhub@latest install minimax-plan-checker --registry https://cn.longxiaskill.com镜像同步中
技能文档
# MiniMax 套餐信息查询 获取 MiniMax 平台的套餐名称、额度、当前使用情况。 ## 使用方式 ### 方式一:使用浏览器自动登录获取(推荐) ``bash python C:\Users\YangF\.openclaw\workspace\skills\minimax-plan-checker\scripts\get_plan.py `` ### 方式二:在对话中直接使用 告诉用户需要打开浏览器,询问是否要自动打开 MiniMax 平台页面获取套餐信息。 ## 输出格式 脚本会输出以下信息: - 套餐名称:如 "Chat API" / "MoE API" 等 - 额度信息:总额度、已使用额度、剩余额度 - 使用统计:API 调用次数、Token 使用量等 ## 注意事项 - 需要用户已登录 MiniMax 账号 - 如果未登录,浏览器会打开登录页面,用户登录后再运行脚本 - 页面 URL: https://platform.minimaxi.com/user-center/payment/coding-plan