使用MiniMax视觉模型识别图片中的验证码、滑块位置、文字内容等。适用于需要AI视觉分析的场景,如微信验证码识别、网页截图分析、图片文字提取。当需要识别图片内容、分析验证码、提取截图信息时使用此技能。
Security Analysis
medium confidenceSkill functionality aligns with its description, but there are security and transparency concerns (unsanitized shell invocation, implicit credentials/config expectations, and automatic local file access) that the user should review before installing.
Name/description, SKILL.md, and the included script all consistently implement an image/captcha recognition helper that calls a MiniMax visual MCP via mcporter and uses OpenClaw browser screenshots. The files and commands requested are coherent with the stated purpose.
Runtime instructions tell the agent to take screenshots and call mcporter.minimax-coding-plan.understand_image — that matches purpose. However the included script will automatically look in /root/.openclaw/media/browser for screenshots if none provided (accessing local user/root files), and it constructs a shell command by interpolating user-supplied prompt and imagePath directly into a single string passed to execSync. That creates a command-injection risk and means the skill can read and submit arbitrary local images to the MCP.
No install spec or remote downloads — the skill is instruction-only with a small local Node script. Nothing is fetched from arbitrary URLs during install, which lowers supply-chain risk.
The skill declares no environment variables or credentials, but SKILL.md says 'ensure MiniMax MCP is configured' and the script uses mcporter. Credentials/config required to call the MCP are not documented in requires.env or marketplace.json — an omission that reduces transparency. No unrelated credentials are requested.
Skill is user-invocable, not always:true, and does not request elevated or persistent platform privileges nor modify other skills' configurations.
Guidance
This skill appears to do what it claims (solve captchas using a MiniMax visual service) but you should be cautious before installing: 1) The included script runs a shell command via execSync with prompt and image path interpolated verbatim — this is vulnerable to command injection if those values include malicious characters. Prefer a version that calls mcporter with an argument array (spawn/execFile) or properly escapes inputs. 2) The script will read the latest PNG from /root/.openclaw/media/browser if no image is given; make sure you are comfortable with the skill accessing that directory and that no sensitive screenshots could be sent to the MCP. 3) SKILL.md mentions MiniMax MCP must be configured, but the skill does not declare what credentials or endpoints are required — verify how mcporter is configured and where image data will be sent. 4) The skill author/source is not clearly verified (marketplace.json lists an author/link but the package source/homepage are missing) — consider running in a sandbox, review or rewrite the script to sanitize inputs, and confirm compliance with any site/service terms (captcha bypassing can violate terms of service).
Latest Release
v1.0.0
首次发布
Popular Skills
Intelligent Stocks Screener
@financial-ai-analyst · 96 stars
All-Market Financial Data Hub
@financial-ai-analyst · 68 stars
Global Macro Database Assistant
@financial-ai-analyst · 66 stars
Financial Search Engine
@financial-ai-analyst · 59 stars
Earnings Review Agent
@financial-ai-analyst · 6 stars
mx-financial-assistant
@financial-ai-analyst · 4 stars
Published by @Financier-Nuri on ClawHub
