← 返回 Skills 市场

MiniMax MCP Search

Name: MiniMax MCP Search
Author: hillsp99

作者 HillSP · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

969

总下载

当前安装

版本数

在 OpenClaw 中安装

/install minimax-mcp-v2

功能描述

Perform real-time web searches and analyze images using MiniMax MCP with input prompts and flexible image sources.

安全使用建议

This skill appears to do what it says, but exercise caution before installing or running it: - mcporter install: The skill expects the 'mcporter' CLI (npm package). Only install mcporter if you trust its source; audit the npm package and its maintainers. - API key handling: SKILL.md mentions a MiniMax API key but the manifest doesn't declare any required env vars. Ask or verify where the API key is stored (mcporter config file?) and who/what can access it. - Local file exfiltration risk: The skill accepts arbitrary local file paths for image analysis and forwards them to an external service via mcporter. Do not point it at sensitive files. Consider restricting allowed image paths or running the skill in a sandboxed environment. - Command injection: search.py constructs shell commands by interpolating user input into mcporter calls and uses subprocess.run(..., shell=True). If untrusted input reaches these functions, an attacker could inject shell commands. Prefer sanitized arguments or using subprocess with an argv list (no shell), or otherwise validate and escape inputs. Recommended actions before use: review the mcporter package code and its network behavior; confirm where API keys/configs are stored; avoid using with sensitive local files; and request or patch the skill to avoid shell=True and to declare required credentials explicitly. If you are not comfortable auditing dependencies or running code from this author, treat the skill as untrusted.

功能分析

Type: OpenClaw Skill Name: minimax-mcp-v2 Version: 1.0.0 The `search.py` script is highly vulnerable to shell injection. It uses `subprocess.run` with `shell=True` and directly interpolates user-controlled inputs (`query`, `prompt`, `image_path`) into the shell command strings without proper sanitization. This allows an attacker to execute arbitrary commands on the host system by crafting malicious input for the `web_search` and `understand_image` functions, posing a severe remote code execution risk.

能力评估

✓ Purpose & Capability

Name, description, and code align: the skill shells out to the 'mcporter' CLI to perform web_search and understand_image, and the manifest lists mcporter as the required binary/package. Requesting mcporter is coherent with the stated purpose.

⚠ Instruction Scope

SKILL.md and search.py allow submitting local file paths or URLs for image analysis. The code passes user-supplied strings directly into shell commands (subprocess.run with shell=True) without sanitization, which can enable shell/command injection. Also, sending arbitrary local paths to an external service can cause sensitive-file exfiltration if mcporter/transit is untrusted.

ℹ Install Mechanism

_install_ in _meta.json installs the npm package 'mcporter' globally. Installing an npm package is a moderate-risk mechanism (code pulled from the npm registry). This is expected for a tool that invokes an external CLI, but there is an inconsistency: the top-level metadata said 'No install spec — instruction-only', while _meta.json includes an install step. Verify the intended install behavior and the trustworthiness of the 'mcporter' package.

⚠ Credentials

SKILL.md mentions '首次使用需配置 MiniMax API Key（已在配置文件中设置）' (an API key is required), but the manifest declares no required environment variables or primary credential. The skill therefore expects secrets to be configured externally (e.g., in mcporter config files) but does not declare or document them clearly — an incoherence that can hide where keys are stored and who/what can access them.

✓ Persistence & Privilege

The skill does not request always:true or any special persistent privileges and does not modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not flagged on its own. No other privilege escalation indicators are present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install minimax-mcp-v2
安装完成后，直接呼叫该 Skill 的名称或使用 /minimax-mcp-v2 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of MiniMax MCP Search Skill. - Supports real-time web search with concise results (title, link, summary, date) via MiniMax MCP. - Enables image understanding for both local files and URLs in JPEG, PNG, or WebP formats. - Requires installation of mcporter and pre-configured MiniMax API Key. - Clear usage instructions and parameter descriptions provided for all tools.

元数据

Slug minimax-mcp-v2

版本 1.0.0

许可证 —

累计安装 4

当前安装数 4

历史版本数 1

常见问题

MiniMax MCP Search 是什么？

Perform real-time web searches and analyze images using MiniMax MCP with input prompts and flexible image sources. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 969 次。

如何安装 MiniMax MCP Search？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install minimax-mcp-v2」即可一键安装，无需额外配置。

MiniMax MCP Search 是免费的吗？

是的，MiniMax MCP Search 完全免费（开源免费），可自由下载、安装和使用。

MiniMax MCP Search 支持哪些平台？

MiniMax MCP Search 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 MiniMax MCP Search？

由 HillSP（@hillsp99）开发并维护，当前版本 v1.0.0。