← Back to Skills Marketplace
969
Downloads
0
Stars
4
Active Installs
1
Versions
Install in OpenClaw
/install minimax-mcp-v2
Description
Perform real-time web searches and analyze images using MiniMax MCP with input prompts and flexible image sources.
Usage Guidance
This skill appears to do what it says, but exercise caution before installing or running it:
- mcporter install: The skill expects the 'mcporter' CLI (npm package). Only install mcporter if you trust its source; audit the npm package and its maintainers.
- API key handling: SKILL.md mentions a MiniMax API key but the manifest doesn't declare any required env vars. Ask or verify where the API key is stored (mcporter config file?) and who/what can access it.
- Local file exfiltration risk: The skill accepts arbitrary local file paths for image analysis and forwards them to an external service via mcporter. Do not point it at sensitive files. Consider restricting allowed image paths or running the skill in a sandboxed environment.
- Command injection: search.py constructs shell commands by interpolating user input into mcporter calls and uses subprocess.run(..., shell=True). If untrusted input reaches these functions, an attacker could inject shell commands. Prefer sanitized arguments or using subprocess with an argv list (no shell), or otherwise validate and escape inputs.
Recommended actions before use: review the mcporter package code and its network behavior; confirm where API keys/configs are stored; avoid using with sensitive local files; and request or patch the skill to avoid shell=True and to declare required credentials explicitly. If you are not comfortable auditing dependencies or running code from this author, treat the skill as untrusted.
Capability Analysis
Type: OpenClaw Skill
Name: minimax-mcp-v2
Version: 1.0.0
The `search.py` script is highly vulnerable to shell injection. It uses `subprocess.run` with `shell=True` and directly interpolates user-controlled inputs (`query`, `prompt`, `image_path`) into the shell command strings without proper sanitization. This allows an attacker to execute arbitrary commands on the host system by crafting malicious input for the `web_search` and `understand_image` functions, posing a severe remote code execution risk.
Capability Assessment
Purpose & Capability
Name, description, and code align: the skill shells out to the 'mcporter' CLI to perform web_search and understand_image, and the manifest lists mcporter as the required binary/package. Requesting mcporter is coherent with the stated purpose.
Instruction Scope
SKILL.md and search.py allow submitting local file paths or URLs for image analysis. The code passes user-supplied strings directly into shell commands (subprocess.run with shell=True) without sanitization, which can enable shell/command injection. Also, sending arbitrary local paths to an external service can cause sensitive-file exfiltration if mcporter/transit is untrusted.
Install Mechanism
_install_ in _meta.json installs the npm package 'mcporter' globally. Installing an npm package is a moderate-risk mechanism (code pulled from the npm registry). This is expected for a tool that invokes an external CLI, but there is an inconsistency: the top-level metadata said 'No install spec — instruction-only', while _meta.json includes an install step. Verify the intended install behavior and the trustworthiness of the 'mcporter' package.
Credentials
SKILL.md mentions '首次使用需配置 MiniMax API Key(已在配置文件中设置)' (an API key is required), but the manifest declares no required environment variables or primary credential. The skill therefore expects secrets to be configured externally (e.g., in mcporter config files) but does not declare or document them clearly — an incoherence that can hide where keys are stored and who/what can access them.
Persistence & Privilege
The skill does not request always:true or any special persistent privileges and does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not flagged on its own. No other privilege escalation indicators are present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install minimax-mcp-v2 - After installation, invoke the skill by name or use
/minimax-mcp-v2 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of MiniMax MCP Search Skill.
- Supports real-time web search with concise results (title, link, summary, date) via MiniMax MCP.
- Enables image understanding for both local files and URLs in JPEG, PNG, or WebP formats.
- Requires installation of mcporter and pre-configured MiniMax API Key.
- Clear usage instructions and parameter descriptions provided for all tools.
Metadata
Frequently Asked Questions
What is MiniMax MCP Search?
Perform real-time web searches and analyze images using MiniMax MCP with input prompts and flexible image sources. It is an AI Agent Skill for Claude Code / OpenClaw, with 969 downloads so far.
How do I install MiniMax MCP Search?
Run "/install minimax-mcp-v2" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MiniMax MCP Search free?
Yes, MiniMax MCP Search is completely free (open-source). You can download, install and use it at no cost.
Which platforms does MiniMax MCP Search support?
MiniMax MCP Search is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MiniMax MCP Search?
It is built and maintained by HillSP (@hillsp99); the current version is v1.0.0.
More Skills