← 返回 Skills 市场
1026
总下载
0
收藏
3
当前安装
2
版本数
在 OpenClaw 中安装
/install minimax-coding-plan
功能描述
MiniMax Coding Plan native web search and image understanding for OpenClaw. Use when the user specifically wants MiniMax-native search or image analysis, or...
安全使用建议
This skill appears to perform MiniMax web search and image analysis by calling an external API (DEFAULT_HOST https://api.minimaxi.com). Before installing:
- Be aware the script will upload image contents (base64) and your queries to that external host.
- The code will look for an API key in MINIMAX_API_KEY or by reading OpenClaw auth-profiles.json files from several locations (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, /home/admin/.openclaw). Confirm you are comfortable with the skill reading those files (they can contain other secrets).
- The skill's registry metadata does not declare MINIMAX_API_KEY or the auth-profile access; that mismatch is a red flag. Ask the author to document required env vars and why those paths are searched.
- Because no homepage or publisher information is provided and the API host is external, verify the trustworthiness of the MiniMax API endpoint before sending sensitive images or data.
- If you decide to use it: supply MINIMAX_API_KEY explicitly in a controlled environment, or ensure auth-profiles.json files do not contain unrelated secrets; consider network monitoring or running in a sandbox if you need to audit what is sent.
I have moderate confidence in this assessment; providing the skill's author or a canonical homepage, or confirming the API host is legitimate and the exact format of auth-profiles.json, would increase confidence.
功能分析
Type: OpenClaw Skill
Name: minimax-coding-plan
Version: 0.1.1
The skill contains a vulnerability in `scripts/minimax_plan.py` where the `understand_image` tool accepts arbitrary file paths via the `--image-source` argument without validation, potentially allowing an attacker to exfiltrate sensitive local files (base64-encoded) to the MiniMax API (api.minimaxi.com). Additionally, the script automatically searches for authentication tokens across multiple local filesystem paths, including hardcoded locations like `/home/admin/.openclaw/`, which could lead to unauthorized access to credentials if the environment is misconfigured. While these behaviors are documented and intended to support the skill's functionality, the lack of path restrictions presents a significant security risk.
能力评估
Purpose & Capability
The code implements web_search and understand_image endpoints against a MiniMax API host, matching the skill's stated purpose. It also attempts to obtain a MiniMax API key from MINIMAX_API_KEY or from OpenClaw auth profile files, which is reasonable for an API client. However the skill metadata declared no required environment variables even though MINIMAX_API_KEY is used at runtime.
Instruction Scope
Runtime behavior is mostly within scope (sending queries and image data to the MiniMax API). Concerns: the code will read multiple candidate auth-profiles.json files from OpenClaw agent dirs (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME, ~/.openclaw, and /home/admin/.openclaw). While it only extracts specific fields for a minimax profile, scanning those locations can expose other sensitive agent configuration files and tokens to the skill's logic. The script also fetches remote image URLs (downloading arbitrary user-supplied URLs) and base64-uploads image content to the external API — expected for image understanding but important to be aware of.
Install Mechanism
No install spec; the skill is instruction/code-only and runs the included Python script. Nothing is downloaded at install time and no additional packages or network installers are invoked.
Credentials
Registry metadata claims no required env vars, but the runtime uses MINIMAX_API_KEY and several OpenClaw environment variables (OPENCLAW_AUTH_PROFILES_JSON, OPENCLAW_AGENT_DIR, OPENCLAW_HOME) to find auth profiles. Requesting access to agent auth profiles (which may contain other credentials) is broader than the skill metadata indicates and should have been declared and justified.
Persistence & Privilege
The skill does not request always:true, does not write to system-wide configs, and does not persist new credentials. It runs on demand and does not change other skills' configurations.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install minimax-coding-plan - 安装完成后,直接呼叫该 Skill 的名称或使用
/minimax-coding-plan触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Remove build artifacts and keep the public package portable across OpenClaw installs.
v0.1.0
Initial public release with MiniMax-native web search and image understanding.
元数据
常见问题
MiniMax Coding Plan 是什么?
MiniMax Coding Plan native web search and image understanding for OpenClaw. Use when the user specifically wants MiniMax-native search or image analysis, or... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1026 次。
如何安装 MiniMax Coding Plan?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install minimax-coding-plan」即可一键安装,无需额外配置。
MiniMax Coding Plan 是免费的吗?
是的,MiniMax Coding Plan 完全免费(开源免费),可自由下载、安装和使用。
MiniMax Coding Plan 支持哪些平台?
MiniMax Coding Plan 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MiniMax Coding Plan?
由 YJLi-new(@yjli-new)开发并维护,当前版本 v0.1.1。
推荐 Skills