← Back to Skills Marketplace
1091
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install minimax-speech
Description
Manage MiniMax Speech 2.8 TTS requests, voice catalog lookups, and precise voice/audio configuration using MiniMax API via CLI or script.
Usage Guidance
This appears to be a legitimate MiniMax TTS helper, but be cautious before installing or running it. Key points:
- The script requires MINIMAX_API_KEY even though the registry metadata doesn't declare it; verify you are comfortable providing that API key and understand its privilege level (create a limited/test key if possible).
- The CLI accepts an --endpoint override; do not point it at unknown or untrusted URLs, because your API key and audio payloads will be sent there. Prefer the default https://api.minimax.io endpoints or your organization's approved endpoints.
- Inspect scripts/minimax_tts.py (already present) yourself — it is short and readable; run it in an isolated environment (virtualenv/container) and test with a limited-key account before using real/production credentials.
- If you rely on the registry metadata for automation, update or correct the metadata to declare MINIMAX_API_KEY so tools and reviewers are not misled.
If you want higher assurance, ask the publisher for a homepage/source repo, or request a signed/reproducible release from an identifiable maintainer.
Capability Analysis
Type: OpenClaw Skill
Name: minimax-speech
Version: 1.0.0
The `scripts/minimax_tts.py` skill, while intended for legitimate MiniMax API interaction, contains several vulnerabilities. The `--endpoint` argument allows the `MINIMAX_API_KEY` to be sent to an arbitrary URL, posing a risk of credential exfiltration if the AI agent is prompted to use a malicious endpoint. Additionally, the `--output` argument in both `tts` and `voices` subcommands is vulnerable to path traversal, potentially allowing arbitrary file writes outside the intended directory. The `decode_audio` function also allows downloading content from arbitrary URLs if the `output_format` is set to `url` and the API response contains a malicious URL. These are significant vulnerabilities that could be exploited via prompt injection or malicious input, but there is no clear evidence of intentional malicious design within the code or `SKILL.md`.
Capability Assessment
Purpose & Capability
The skill's name/description match the code and SKILL.md: it performs TTS and voice-catalog requests. However, the registry metadata declares no required environment variables or primary credential, while both SKILL.md and scripts/minimax_tts.py require MINIMAX_API_KEY; that metadata omission is an incoherence (the skill actually needs a credential to work).
Instruction Scope
The runtime instructions stay within TTS/catalog lookup scope (install requests, set MINIMAX_API_KEY, run the provided CLI). The script prints/dumps API responses and writes audio/catalog JSON to disk. One noteworthy capability: both the SKILL.md and script allow overriding the API endpoint (--endpoint), so an operator or an automated agent could be directed to send the API key and payload to an arbitrary URL — this is expected for debugging/region overrides but increases the risk surface if endpoints are malicious.
Install Mechanism
No install spec in the registry; SKILL.md asks only for 'pip install requests' and Python 3.11+. There are no remote downloads, no archive extraction, and the only included code is a single Python script. This is low installation risk.
Credentials
The script requires MINIMAX_API_KEY (checked at runtime) but the registry metadata lists no required env vars or primary credential — an inconsistency that could mislead users about what secrets they must provide. Requiring a single API key is proportionate to a TTS client, but because the CLI can target an arbitrary endpoint, supplying the key could result in it being sent to unexpected endpoints if the endpoint is changed.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system-wide settings, and is runnable only when invoked. It writes output files only when asked and does not request elevated or persistent privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install minimax-speech - After installation, invoke the skill by name or use
/minimax-speech - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of MiniMax Speech 2.8 helper
Metadata
Frequently Asked Questions
What is MiniMax Speech 2.8?
Manage MiniMax Speech 2.8 TTS requests, voice catalog lookups, and precise voice/audio configuration using MiniMax API via CLI or script. It is an AI Agent Skill for Claude Code / OpenClaw, with 1091 downloads so far.
How do I install MiniMax Speech 2.8?
Run "/install minimax-speech" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MiniMax Speech 2.8 free?
Yes, MiniMax Speech 2.8 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does MiniMax Speech 2.8 support?
MiniMax Speech 2.8 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MiniMax Speech 2.8?
It is built and maintained by wingchiu (@wingchiu); the current version is v1.0.0.
More Skills