← 返回 Skills 市场
422
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mini-agent
功能描述
Mini-Max AI 编程助手 - 基于 MiniMax M2.5 模型的智能代码开发工具,支持文件操作、命令执行、代码编写等功能。适用于 OpenClaw Agent 系统。
安全使用建议
This skill behaves like a powerful local coding assistant (can read/write files and run shell commands) and its docs indicate it uses an external MiniMax API key and keeps detailed logs — but the registry metadata doesn't declare required credentials or config paths. Before installing: (1) review the upstream GitHub repo (https://github.com/MiniMax-AI/Mini-Agent.git) and the npm package contents to confirm what code will run; (2) verify how and where it stores logs/config and whether logs may include secrets; (3) only provide an API key if you trust the MiniMax service and have audited the client code; (4) consider running the package in a sandboxed environment or VM and restrict permissions to the ~/.mini-agent and workspace directories; (5) ask the publisher to update metadata to declare required env vars (MINIMAX_API_KEY/MINIMAX_API_BASE) and config paths so you can make an informed trust decision.
功能分析
Type: OpenClaw Skill
Name: mini-agent
Version: 1.0.0
The skill bundle is classified as suspicious due to its extremely broad and powerful capabilities, which present significant security risks. The `SKILL.md` file explicitly lists tools like `bash` (for arbitrary shell command execution) and `read_file`, `write_file`, `edit_file` (for full file system access). These capabilities, while presented as legitimate for a 'programming assistant,' create a critical vulnerability for Remote Code Execution (RCE) and data exfiltration if the AI agent is compromised via prompt injection. Additionally, the `SKILL.md` instructs the OpenClaw system to install the `mini-agent` tool from an external GitHub repository (`git+https://github.com/MiniMax-AI/Mini-Agent.git`), introducing a supply chain risk. There is no direct evidence of intentional malicious behavior within the analyzed files, but the inherent risk of these powerful tools makes the skill suspicious.
能力评估
Purpose & Capability
The name/description (programming assistant with file and command execution) aligns with the tools and capabilities described (read/write/edit files, run bash). Requiring a 'mini-agent' binary and offering to install a Node package from GitHub is consistent with delivering that tool. However, documentation repeatedly references an external MiniMax API key and API endpoint (config.yaml / MINIMAX_API_KEY), but the skill metadata does not declare any required env vars or credentials — an inconsistency that should be justified.
Instruction Scope
The runtime instructions and examples explicitly instruct reading/writing arbitrary files and executing arbitrary shell commands across user paths (e.g., /home/pi, /var/log), and describe persistent logs that record full requests and tool calls (which can include user inputs and secrets). Those behaviors are within the broad scope of a code-assistant but are high-risk operations; the SKILL.md and docs also reference inspecting other skills ('get_skill'), which can expose other skills' contents. The skill's docs instruct accessing specific config and log paths (~/.mini-agent/ and /home/pi/.openclaw/agents/xiaoma) even though these paths were not declared in the registry metadata.
Install Mechanism
The install spec is a Node package installed with a command that clones from GitHub (git+https://github.com/MiniMax-AI/Mini-Agent.git). GitHub is a common host, but the skill package included no code files to audit locally — the actual runtime code will be pulled from that repository at install time and was not scanned. 'uv tool install' is a non-standard installer command in this context; installing arbitrary code from a remote repo is a moderate risk and should be inspected before running.
Credentials
The skill metadata lists no required environment variables or credentials, yet the docs/config explicitly require a MiniMax API key (api_key / MINIMAX_API_KEY) and an api_base. That mismatch is problematic: the skill expects a secret but does not declare it. Additionally, logs described will record requests/responses and tool invocations (potentially capturing secrets). The absence of declared credentials in metadata reduces transparency about what sensitive information the skill will need or might capture.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or global agent settings. It does create and use persistent config and log directories under ~/.mini-agent/, which is normal for a tool of this type but worth auditing because logs may include sensitive request contents.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mini-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/mini-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Mini-Agent 是什么?
Mini-Max AI 编程助手 - 基于 MiniMax M2.5 模型的智能代码开发工具,支持文件操作、命令执行、代码编写等功能。适用于 OpenClaw Agent 系统。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 422 次。
如何安装 Mini-Agent?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mini-agent」即可一键安装,无需额外配置。
Mini-Agent 是免费的吗?
是的,Mini-Agent 完全免费(开源免费),可自由下载、安装和使用。
Mini-Agent 支持哪些平台?
Mini-Agent 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Mini-Agent?
由 L1-M1ng(@l1-m1ng)开发并维护,当前版本 v1.0.0。
推荐 Skills