Minimax Image Gen

使用 Minimax Image API 生成图片。支持文生图、13+ 种风格预设、跨平台。 neuroXY 专属画图技能！ Use when: 用户想生成图片、AI 画图、创建图像。 NOT for: 视频生成、动画制作。

This skill appears to do what it claims (generate images via Minimax) and only requires MINIMAX_API_KEY, but there are two things to check before installing or running it: 1) SSL verification is disabled in the script when calling the API and downloading images (ssl.check_hostname=False; verify_mode=ssl.CERT_NONE). That means an attacker on your network could intercept requests and steal your API key or responses. If you plan to use this skill, either run it only on trusted networks or edit the script to remove the lines that disable certificate verification so TLS is enforced. 2) The script will try to read ~/.openclaw/openclaw.json (and a parent-path variant) to auto-load an API key. If that file contains other credentials, the script will open it while searching for a Minimax key. To minimize risk, prefer supplying MINIMAX_API_KEY via an explicit environment variable and inspect/remove any sensitive keys from the config file first. Other suggestions: review the full script locally before running, confirm the base_url (https://api.minimaxi.com) matches the official endpoint you expect, and run in a contained environment if you are not comfortable modifying the code. If the SSL disabling is fixed and you supply the key via env only, the skill would be coherent and lower-risk.

Type: OpenClaw Skill Name: minimax-image-gen Version: 1.1.0 The skill contains a significant security vulnerability by explicitly disabling SSL/TLS certificate verification (ssl.CERT_NONE) in scripts/gen.py during both API communication and image downloads. It also accesses the user's home directory to read a global configuration file (~/.openclaw/openclaw.json) to retrieve API keys. While these behaviors appear aimed at user convenience and avoiding environment-specific certificate issues, they introduce MITM risks and perform unauthorized file access outside the skill's scope.