← Back to Skills Marketplace

MiniMax Media Generator

Name: MiniMax Media Generator
Author: rockytian-top

by Rocky.Tian · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install rocky-minimax-media

Description

MiniMax 媒体生成插件 - 图片/视频/TTS/音乐生成，支持交互式选择模型

Usage Guidance

Do not trust or run generate.sh as-is. It contains a hardcoded MiniMax API key and writes to /Users/rocky/Desktop — behavior that contradicts the manifest and SKILL.md. That embedded key could be someone else's credential (risking unexpected billing, misuse, or leakage). Recommended actions before installing/using: 1) Inspect and remove or disable generate.sh (or replace the hardcoded key and absolute paths with references to your own MINIMAX_API_KEY and MINIMAX_OUTPUT_DIR). 2) Prefer using the provided install.sh which prompts you to input your own API key and writes it to ~/.openclaw/openclaw.json. 3) After running install.sh, verify openclaw.json content and confirm only your key was added. 4) Search the package for any other hardcoded secrets or absolute paths. 5) If you or your environment ever ran generate.sh with the embedded key, assume that key is compromised: rotate/replace your own MiniMax API key and contact MiniMax if you need to investigate billing/usage. 6) Only enable this skill if you accept the risk of embedded secrets and have sanitized the code; otherwise decline or ask the publisher for a clean release that does not include hardcoded credentials.

Capability Analysis

Type: OpenClaw Skill Name: rocky-minimax-media Version: 1.0.0 The skill bundle contains multiple security vulnerabilities and poor practices. Specifically, `generate.sh` and `scripts/minimax.sh` are vulnerable to shell command injection because user-provided prompts and filenames are used directly within shell commands without sanitization. Additionally, `generate.sh` contains a hardcoded MiniMax API key and hardcoded absolute file paths (`/Users/rocky/Desktop`), which are characteristic of unvetted development scripts. While these issues allow for potential exploitation, there is no clear evidence of intentional malice or data exfiltration.

Capability Tags

requires-sensitive-credentials

Capability Assessment

⚠ Purpose & Capability

Name/description promise image/video/tts/music generation via MiniMax and most scripts (install.sh, minimax.sh) only request the MiniMax API key and read/write the user's openclaw.json — that is coherent. However generate.sh contains a long hardcoded API key and hardcoded output path (/Users/rocky/Desktop), contradicting the manifest note '无硬编码' and the SKILL.md guidance to supply your own key; that extra embedded credential and user-specific path are not needed for the declared purpose.

⚠ Instruction Scope

SKILL.md and scripts instruct only to add the API key to ~/.openclaw/openclaw.json and run minimax.sh; those steps are within scope. But generate.sh bypasses the declared configuration flow by embedding an API key and writing to an absolute desktop path. That script grants the package more direct network access with a baked-in credential and performs file writes outside the plugin's usual output dir, which goes beyond the documented runtime instructions.

✓ Install Mechanism

There is no external install/download step (instruction-only plus local scripts). install.sh modifies ~/.openclaw/openclaw.json to store the user's API key — expected for a plugin. No remote arbitrary code downloads or obscure URLs were found.

⚠ Credentials

The plugin legitimately requires a MiniMax API key. But registry metadata reported no required env vars while manifest.json and SKILL.md do require MINIMAX_API_KEY — an inconsistency. More importantly, generate.sh contains a hardcoded API key (sk-cp-...) and uses a hardcoded output directory; this is disproportionate, leaks a credential, and may cause billing/account/traceability issues if that key is valid.

✓ Persistence & Privilege

The skill does not request 'always: true' or other elevated privileges. install.sh writes only to the user's openclaw.json (its own configuration area), which is expected behavior for an OpenClaw plugin. There is no evidence it modifies other skills or system-wide settings beyond openclaw.json.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install rocky-minimax-media
After installation, invoke the skill by name or use /rocky-minimax-media
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

rocky-minimax-media v1.3.0 - 新增 MiniMax 媒体生成插件，支持图片、视频、TTS语音及音乐一站式生成 - 支持交互式模型和音色选择，满足不同生成场景 - 安装过程增加自动 API Key 配置提示 - 脚本命令行简单易用，支持一键测试、分类生成 - 输出目录可自定义，兼容 OpenClaw 配置 - 详细文档强化安装与调用说明

Metadata

Slug rocky-minimax-media

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is MiniMax Media Generator?

MiniMax 媒体生成插件 - 图片/视频/TTS/音乐生成，支持交互式选择模型. It is an AI Agent Skill for Claude Code / OpenClaw, with 61 downloads so far.

How do I install MiniMax Media Generator?

Run "/install rocky-minimax-media" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is MiniMax Media Generator free?

Yes, MiniMax Media Generator is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does MiniMax Media Generator support?

MiniMax Media Generator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created MiniMax Media Generator?

It is built and maintained by Rocky.Tian (@rockytian-top); the current version is v1.0.0.

More Skills