← 返回 Skills 市场
110
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install minimax-mcp-tool
功能描述
Provides MiniMax Token Plan web search and image understanding with fallback to Brave Search/Qwen Chat, using environment-injected API keys and no C drive us...
安全使用建议
What to check before installing:
- The script requires MINIMAX_API_KEY (and optionally MINIMAX_PYTHON/MINIMAX_API_HOST) even though the registry metadata lists none — add only the key you intend to use and confirm the registry is updated.
- The Node script launches a local Python module and forwards the entire process environment to that subprocess. If your agent/process environment contains other secrets (other API keys, tokens), those could be visible to the Python code or the remote API it calls. Prefer running this skill with a dedicated, minimal environment (no other secrets), or inspect/contain the Python package before use.
- SKILL.md asserts automatic fallback behavior and zero C: usage; the JavaScript does not implement automatic fallback — fallback appears to be manual (toggle `enabled`). Do not rely on the docs for automation guarantees.
- Audit the pip package minimax-coding-plan-mcp (version referenced in docs) before installing, and install Python from a trusted source.
- If you are uncomfortable with a spawned subprocess inheriting all env vars, do not install or run this skill until the author/maintainer clarifies that only necessary env vars are passed.
If you want, I can: list the exact lines that forward the full environment, propose a safer wrapper that only forwards MINIMAX_API_KEY, or draft a checklist to safely sandbox this skill.
功能分析
Type: OpenClaw Skill
Name: minimax-mcp-tool
Version: 1.0.0
The script `scripts/minimax_mcp.js` uses `execSync` with `shell: true` to execute a command constructed from the `MINIMAX_PYTHON` environment variable, which creates a shell injection vulnerability. Additionally, the skill relies on hardcoded paths to the `E:` drive for virtual environments and SSL certificate bundles (`certifi`), which is brittle and non-standard. While these appear to be unintentional vulnerabilities or workarounds for Windows-specific issues rather than intentional malice, they represent high-risk execution patterns.
能力评估
Purpose & Capability
The skill's code and SKILL.md match the stated purpose: it launches a local Python minimax MCP server (via `-m minimax_mcp.server`) and exposes web_search and understand_image tool calls. However the public registry metadata claims no required env vars while both SKILL.md and the script require MINIMAX_API_KEY (and optionally MINIMAX_PYTHON / MINIMAX_API_HOST). That mismatch between metadata and the actual requirements is an inconsistency users should be aware of.
Instruction Scope
SKILL.md instructs creating a venv on E: and installing minimax-coding-plan-mcp and describes automated fallback behavior to Brave Search / Qwen Chat. The shipped JavaScript implements only calls to the MCP server (search, image, tools) and does not implement any automatic fallback logic or the 'enabled' toggle behavior described in the docs. The docs therefore overstate automation. The runtime instructions do not request unrelated system files, but they do assume the user will install a Python package and provide environment variables.
Install Mechanism
This is an instruction-only skill with no installer spec. The SKILL.md asks the user to pip-install minimax-coding-plan-mcp into a venv; there are no bundled downloads or obscure URLs. Risk from install mechanism is low, but you should audit the referenced Python package before installing.
Credentials
Functionality legitimately requires MINIMAX_API_KEY and optionally a Python path/host. Those are proportionate to the stated purpose. However: (1) the skill's registry metadata does not declare MINIMAX_API_KEY, creating an information gap; and (2) the script starts a Python subprocess and passes {...process.env, MINIMAX_API_KEY, ...}, i.e., it forwards the entire current environment to the subprocess. That means any other environment secrets present in the agent process become accessible to the spawned Python process and anything that package might send over the network — a potential secret-exfiltration/privacy risk.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or global agent settings, and has no install-time mechanism that writes to system-wide configs. It only runs a subprocess when invoked, which is expected for this function.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install minimax-mcp-tool - 安装完成后,直接呼叫该 Skill 的名称或使用
/minimax-mcp-tool触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
minimax-mcp-tool 1.0.0
- Initial release of the minimax-mcp skill.
- Provides wrapper for MiniMax Token Plan's built-in web_search and image_understanding tools, tailored for Windows compatibility.
- No configuration or C drive occupation required; uses environment variables for credentials.
- Automatic fallback to Brave Search/Qwen Chat if subscription becomes invalid.
- Supports Python virtual environments and package/cache on E drive.
元数据
常见问题
minimax-mcp 是什么?
Provides MiniMax Token Plan web search and image understanding with fallback to Brave Search/Qwen Chat, using environment-injected API keys and no C drive us... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 110 次。
如何安装 minimax-mcp?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install minimax-mcp-tool」即可一键安装,无需额外配置。
minimax-mcp 是免费的吗?
是的,minimax-mcp 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
minimax-mcp 支持哪些平台?
minimax-mcp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 minimax-mcp?
由 GoDiao(@godiao)开发并维护,当前版本 v1.0.0。
推荐 Skills