中文 EN
Start Review
Skill Trust Decision

minimax-image-gen

The skill performs legitimate image generation but disables SSL certificate verification while claiming SSL/TLS encryption in documentation - a doc-to-code mismatch creating MITM vulnerability risk.

Install decision first Source: Manual upload Scanned: Apr 4, 2026
Files 2
Artifacts 7
Violations 0
Findings 2
Most direct threat evidence
High Doc Mismatch
SSL/TLS security claim contradicts code implementation

SKILL.md lists 'SSL/TLS 加密传输' under security features, but scripts/gen.py disables SSL certificate verification at lines 171-172 and 226-227, creating vulnerability to man-in-the-middle attacks.

scripts/gen.py:171

Why this conclusion was reached

1/4 dimensions flagged
Pass
Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review
Hidden execution and egress

7 lower-risk artifacts were extracted and still need context.

Block
Attack chain and severe findings

The report includes 0 attack-chain steps and 1 severe findings.

Review
Dependencies and supply chain hygiene

Dependency information is incomplete, so supply-chain confidence stays limited.

What drove the risk score up

SSL verification disabled +25

Lines 171-172 and 226-227 disable hostname checking and certificate verification via ssl.CERT_NONE

Documentation deception +15

SKILL.md claims 'SSL/TLS 加密传输' but code actually disables SSL verification

No malicious indicators +-10

No credential exfiltration, no reverse shell, no C2 communication detected

subprocess usage documented +-5

Cross-platform image preview (open/xdg-open) declared in SKILL.md under '跨平台支持'

Most important evidence

High Doc Mismatch

SSL/TLS security claim contradicts code implementation

SKILL.md lists 'SSL/TLS 加密传输' under security features, but scripts/gen.py disables SSL certificate verification at lines 171-172 and 226-227, creating vulnerability to man-in-the-middle attacks.

scripts/gen.py:171
Set ctx.check_hostname = True and ctx.verify_mode = ssl.CERT_REQUIRED, or remove the custom SSL context entirely to use system defaults.
Medium Sensitive Access

Reads API configuration from OpenClaw config file

The script searches for API keys in ~/.openclaw/openclaw.json and parent directories. While not exfiltrating data, this accesses configuration files outside the skill's declared scope.

scripts/gen.py:206
Document this behavior in SKILL.md or limit to only explicitly configured paths.

Declared capability vs actual capability

Network Pass
Declared READ
Inferred READ
SKILL.md:requires:env MINIMAX_API_KEY - legitimate API calls
Filesystem Pass
Declared WRITE
Inferred WRITE
scripts/gen.py:280-290 - saves images to output directory
Shell Pass
Declared WRITE
Inferred WRITE
scripts/gen.py:263-270 - cross-platform image preview (open/xdg-open)
Environment Pass
Declared READ
Inferred READ
scripts/gen.py:199 - reads MINIMAX_API_KEY

Suspicious artifacts and egress

Medium External URL
https://platform.minimaxi.com/docs/api-reference/image-generation-t2i

SKILL.md:4

Medium External URL
https://img.shields.io/badge/GitHub-neuroXY-blue

SKILL.md:22

Medium External URL
https://img.shields.io/badge/Version-1.1.0-green

SKILL.md:23

Medium External URL
https://img.shields.io/badge/Platform-Windows%2FMac%2FLinux-yellow

SKILL.md:24

Medium External URL
https://img.shields.io/badge/License-MIT-orange

SKILL.md:25

Medium External URL
https://platform.minimaxi.com/user-center/interface-key

SKILL.md:86

Medium External URL
https://api.minimaxi.com

scripts/gen.py:231

Dependencies and supply chain

There are no structured dependency warnings.

File composition

2 files · 775 lines
Python 1 files · 490 linesMarkdown 1 files · 285 lines
Files of concern · 2
scripts/gen.py Python · 490 lines
SSL/TLS security claim contradicts code implementation · Reads API configuration from OpenClaw config file · https://api.minimaxi.com
SKILL.md Markdown · 285 lines
https://platform.minimaxi.com/docs/api-reference/image-generation-t2i · https://img.shields.io/badge/GitHub-neuroXY-blue · https://img.shields.io/badge/Version-1.1.0-green · https://img.shields.io/badge/Platform-Windows%2FMac%2FLinux-yellow · https://img.shields.io/badge/License-MIT-orange · https://platform.minimaxi.com/user-center/interface-key

Security positives

No credential exfiltration detected - API keys used only for local API calls
Input sanitization implemented to prevent XSS/script injection
Prompt length validation prevents resource exhaustion
Subprocess usage for image preview is documented in SKILL.md
Error handling for various API error codes present
No base64-encoded execution or obfuscation detected
No sensitive file access (~/.ssh, ~/.aws, .env) beyond declared API key locations
No reverse shell, C2 communication, or data theft patterns