MiniMax Media Generator

MiniMax 媒体生成插件 - 图片/视频/TTS/音乐生成，支持交互式选择模型

Do not trust or run generate.sh as-is. It contains a hardcoded MiniMax API key and writes to /Users/rocky/Desktop — behavior that contradicts the manifest and SKILL.md. That embedded key could be someone else's credential (risking unexpected billing, misuse, or leakage). Recommended actions before installing/using: 1) Inspect and remove or disable generate.sh (or replace the hardcoded key and absolute paths with references to your own MINIMAX_API_KEY and MINIMAX_OUTPUT_DIR). 2) Prefer using the provided install.sh which prompts you to input your own API key and writes it to ~/.openclaw/openclaw.json. 3) After running install.sh, verify openclaw.json content and confirm only your key was added. 4) Search the package for any other hardcoded secrets or absolute paths. 5) If you or your environment ever ran generate.sh with the embedded key, assume that key is compromised: rotate/replace your own MiniMax API key and contact MiniMax if you need to investigate billing/usage. 6) Only enable this skill if you accept the risk of embedded secrets and have sanitized the code; otherwise decline or ask the publisher for a clean release that does not include hardcoded credentials.

Type: OpenClaw Skill Name: rocky-minimax-media Version: 1.0.0 The skill bundle contains multiple security vulnerabilities and poor practices. Specifically, `generate.sh` and `scripts/minimax.sh` are vulnerable to shell command injection because user-provided prompts and filenames are used directly within shell commands without sanitization. Additionally, `generate.sh` contains a hardcoded MiniMax API key and hardcoded absolute file paths (`/Users/rocky/Desktop`), which are characteristic of unvetted development scripts. While these issues allow for potential exploitation, there is no clear evidence of intentional malice or data exfiltration.