← Back to Skills Marketplace
422
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mini-agent
Description
Mini-Max AI 编程助手 - 基于 MiniMax M2.5 模型的智能代码开发工具,支持文件操作、命令执行、代码编写等功能。适用于 OpenClaw Agent 系统。
Usage Guidance
This skill behaves like a powerful local coding assistant (can read/write files and run shell commands) and its docs indicate it uses an external MiniMax API key and keeps detailed logs — but the registry metadata doesn't declare required credentials or config paths. Before installing: (1) review the upstream GitHub repo (https://github.com/MiniMax-AI/Mini-Agent.git) and the npm package contents to confirm what code will run; (2) verify how and where it stores logs/config and whether logs may include secrets; (3) only provide an API key if you trust the MiniMax service and have audited the client code; (4) consider running the package in a sandboxed environment or VM and restrict permissions to the ~/.mini-agent and workspace directories; (5) ask the publisher to update metadata to declare required env vars (MINIMAX_API_KEY/MINIMAX_API_BASE) and config paths so you can make an informed trust decision.
Capability Analysis
Type: OpenClaw Skill
Name: mini-agent
Version: 1.0.0
The skill bundle is classified as suspicious due to its extremely broad and powerful capabilities, which present significant security risks. The `SKILL.md` file explicitly lists tools like `bash` (for arbitrary shell command execution) and `read_file`, `write_file`, `edit_file` (for full file system access). These capabilities, while presented as legitimate for a 'programming assistant,' create a critical vulnerability for Remote Code Execution (RCE) and data exfiltration if the AI agent is compromised via prompt injection. Additionally, the `SKILL.md` instructs the OpenClaw system to install the `mini-agent` tool from an external GitHub repository (`git+https://github.com/MiniMax-AI/Mini-Agent.git`), introducing a supply chain risk. There is no direct evidence of intentional malicious behavior within the analyzed files, but the inherent risk of these powerful tools makes the skill suspicious.
Capability Assessment
Purpose & Capability
The name/description (programming assistant with file and command execution) aligns with the tools and capabilities described (read/write/edit files, run bash). Requiring a 'mini-agent' binary and offering to install a Node package from GitHub is consistent with delivering that tool. However, documentation repeatedly references an external MiniMax API key and API endpoint (config.yaml / MINIMAX_API_KEY), but the skill metadata does not declare any required env vars or credentials — an inconsistency that should be justified.
Instruction Scope
The runtime instructions and examples explicitly instruct reading/writing arbitrary files and executing arbitrary shell commands across user paths (e.g., /home/pi, /var/log), and describe persistent logs that record full requests and tool calls (which can include user inputs and secrets). Those behaviors are within the broad scope of a code-assistant but are high-risk operations; the SKILL.md and docs also reference inspecting other skills ('get_skill'), which can expose other skills' contents. The skill's docs instruct accessing specific config and log paths (~/.mini-agent/ and /home/pi/.openclaw/agents/xiaoma) even though these paths were not declared in the registry metadata.
Install Mechanism
The install spec is a Node package installed with a command that clones from GitHub (git+https://github.com/MiniMax-AI/Mini-Agent.git). GitHub is a common host, but the skill package included no code files to audit locally — the actual runtime code will be pulled from that repository at install time and was not scanned. 'uv tool install' is a non-standard installer command in this context; installing arbitrary code from a remote repo is a moderate risk and should be inspected before running.
Credentials
The skill metadata lists no required environment variables or credentials, yet the docs/config explicitly require a MiniMax API key (api_key / MINIMAX_API_KEY) and an api_base. That mismatch is problematic: the skill expects a secret but does not declare it. Additionally, logs described will record requests/responses and tool invocations (potentially capturing secrets). The absence of declared credentials in metadata reduces transparency about what sensitive information the skill will need or might capture.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or global agent settings. It does create and use persistent config and log directories under ~/.mini-agent/, which is normal for a tool of this type but worth auditing because logs may include sensitive request contents.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mini-agent - After installation, invoke the skill by name or use
/mini-agent - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Mini-Agent?
Mini-Max AI 编程助手 - 基于 MiniMax M2.5 模型的智能代码开发工具,支持文件操作、命令执行、代码编写等功能。适用于 OpenClaw Agent 系统。 It is an AI Agent Skill for Claude Code / OpenClaw, with 422 downloads so far.
How do I install Mini-Agent?
Run "/install mini-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Mini-Agent free?
Yes, Mini-Agent is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Mini-Agent support?
Mini-Agent is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Mini-Agent?
It is built and maintained by L1-M1ng (@l1-m1ng); the current version is v1.0.0.
More Skills