← 返回 Skills 市场
1091
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install minimax-speech
功能描述
Manage MiniMax Speech 2.8 TTS requests, voice catalog lookups, and precise voice/audio configuration using MiniMax API via CLI or script.
安全使用建议
This appears to be a legitimate MiniMax TTS helper, but be cautious before installing or running it. Key points:
- The script requires MINIMAX_API_KEY even though the registry metadata doesn't declare it; verify you are comfortable providing that API key and understand its privilege level (create a limited/test key if possible).
- The CLI accepts an --endpoint override; do not point it at unknown or untrusted URLs, because your API key and audio payloads will be sent there. Prefer the default https://api.minimax.io endpoints or your organization's approved endpoints.
- Inspect scripts/minimax_tts.py (already present) yourself — it is short and readable; run it in an isolated environment (virtualenv/container) and test with a limited-key account before using real/production credentials.
- If you rely on the registry metadata for automation, update or correct the metadata to declare MINIMAX_API_KEY so tools and reviewers are not misled.
If you want higher assurance, ask the publisher for a homepage/source repo, or request a signed/reproducible release from an identifiable maintainer.
功能分析
Type: OpenClaw Skill
Name: minimax-speech
Version: 1.0.0
The `scripts/minimax_tts.py` skill, while intended for legitimate MiniMax API interaction, contains several vulnerabilities. The `--endpoint` argument allows the `MINIMAX_API_KEY` to be sent to an arbitrary URL, posing a risk of credential exfiltration if the AI agent is prompted to use a malicious endpoint. Additionally, the `--output` argument in both `tts` and `voices` subcommands is vulnerable to path traversal, potentially allowing arbitrary file writes outside the intended directory. The `decode_audio` function also allows downloading content from arbitrary URLs if the `output_format` is set to `url` and the API response contains a malicious URL. These are significant vulnerabilities that could be exploited via prompt injection or malicious input, but there is no clear evidence of intentional malicious design within the code or `SKILL.md`.
能力评估
Purpose & Capability
The skill's name/description match the code and SKILL.md: it performs TTS and voice-catalog requests. However, the registry metadata declares no required environment variables or primary credential, while both SKILL.md and scripts/minimax_tts.py require MINIMAX_API_KEY; that metadata omission is an incoherence (the skill actually needs a credential to work).
Instruction Scope
The runtime instructions stay within TTS/catalog lookup scope (install requests, set MINIMAX_API_KEY, run the provided CLI). The script prints/dumps API responses and writes audio/catalog JSON to disk. One noteworthy capability: both the SKILL.md and script allow overriding the API endpoint (--endpoint), so an operator or an automated agent could be directed to send the API key and payload to an arbitrary URL — this is expected for debugging/region overrides but increases the risk surface if endpoints are malicious.
Install Mechanism
No install spec in the registry; SKILL.md asks only for 'pip install requests' and Python 3.11+. There are no remote downloads, no archive extraction, and the only included code is a single Python script. This is low installation risk.
Credentials
The script requires MINIMAX_API_KEY (checked at runtime) but the registry metadata lists no required env vars or primary credential — an inconsistency that could mislead users about what secrets they must provide. Requiring a single API key is proportionate to a TTS client, but because the CLI can target an arbitrary endpoint, supplying the key could result in it being sent to unexpected endpoints if the endpoint is changed.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills or system-wide settings, and is runnable only when invoked. It writes output files only when asked and does not request elevated or persistent privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install minimax-speech - 安装完成后,直接呼叫该 Skill 的名称或使用
/minimax-speech触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of MiniMax Speech 2.8 helper
元数据
常见问题
MiniMax Speech 2.8 是什么?
Manage MiniMax Speech 2.8 TTS requests, voice catalog lookups, and precise voice/audio configuration using MiniMax API via CLI or script. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1091 次。
如何安装 MiniMax Speech 2.8?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install minimax-speech」即可一键安装,无需额外配置。
MiniMax Speech 2.8 是免费的吗?
是的,MiniMax Speech 2.8 完全免费(开源免费),可自由下载、安装和使用。
MiniMax Speech 2.8 支持哪些平台?
MiniMax Speech 2.8 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MiniMax Speech 2.8?
由 wingchiu(@wingchiu)开发并维护,当前版本 v1.0.0。
推荐 Skills