Safety Report

MiniMax MCP Call

Name: MiniMax MCP Call
Author: russellfei

MiniMax MCP tools - Web search and image understanding via MiniMax Coding Plan. Use when user needs web search, current information, or image analysis. Requi...

100Downloads

1Installs

0Stars

1Versions

Search & Retrieval2,116 Image Processing1,559 Design & Prototyping842

Security Analysis

high confidence

Clean

The skill's files, env usage, and runtime instructions are coherent with its stated purpose (web search and image understanding) though it asks you to install a third‑party tool via a remote install script and to store your API key on disk — both are legitimate for this kind of skill but worth verifying before proceeding.

Feb 28, 20264 files1 concern

Purpose & Capabilityok

The skill claims web search and image understanding and includes a client that calls tools named web_search and understand_image via a local MCP process. Required items (MINIMAX_API_KEY, optional MINIMAX_API_HOST, Node.js, and the 'uv' runtime/uvx binary) line up with that purpose.

Instruction Scopeok

SKILL.md and the wrapper script limit actions to installing 'uv', storing/loading MINIMAX_API_KEY in ~/.openclaw/.env, and launching the provided Node.js client. The scripts only read the declared ~/.openclaw/.env and do not attempt to read unrelated system paths or other credentials.

Install Mechanismconcern

There is no formal install spec in the manifest; SKILL.md instructs users to run a remote install (curl | sh) from https://astral.sh/uv/install.sh to install 'uv'. Running arbitrary remote install scripts is higher risk — verify the source and script contents before executing.

Credentialsok

Only MINIMAX_API_KEY and MINIMAX_API_HOST are used; these are required and used by the client and forwarded to the spawned 'uvx' process. The quantity and naming of env vars are proportional to the stated functionality.

Persistence & Privilegeok

The skill is not automatically always-enabled and does not request persistent platform privileges. It writes/reads credentials to a user-scoped file (~/.openclaw/.env) which is expected for storing an API key; it does not modify other skills or system-wide settings.

Guidance

This skill appears to do what it says: it launches a local MCP process (uvx) and forwards your MINIMAX_API_KEY so the MCP can perform web searches and image analysis. Before installing: - Review the remote installer it asks you to run (https://astral.sh/uv/install.sh). Don't run curl | sh unless you trust the source; inspect the script first or install 'uv' from a trusted package channel. - Be aware the skill stores your API key in ~/.openclaw/.env and exports it to the spawned uvx process. If the 'uvx' binary or the MCP server is compromised, your key could be exposed — prefer a scoped/revokable key. - Confirm the MINIMAX_API_HOST value (default https://api.minimaxi.com) is correct for the service you expect. - If you want extra safety, run this skill inside a sandboxed environment or container, or create a dedicated API key with limited permissions and rotate it if needed.

Latest Release

v1.0.0

Initial release

More by @russellfei

Vibe Coding Best Practices v3.0

1 stars

Catch My Skill

0 stars

White Stone Memory

0 stars

Class Seven

0 stars

Claw News

0 stars

Elegant Sync

0 stars

Published by @russellfei on ClawHub