minimax-image-gen Security Report — Suspicious | ClawSafe

45 /100

minimax-image-gen

使用 Minimax Image API 生成图片。支持文生图、13+ 种风格预设、跨平台

The skill performs legitimate image generation but disables SSL certificate verification while claiming SSL/TLS encryption in documentation - a doc-to-code mismatch creating MITM vulnerability risk.

Skill Nameminimax-image-gen

Duration38.8s

Enginepi

⚠

Use with caution

Fix SSL verification by setting verify_mode=ssl.CERT_REQUIRED and check_hostname=True. Update documentation to accurately reflect security implementation.

Findings 2 items

Severity	Finding	Location
High	SSL/TLS security claim contradicts code implementation Doc Mismatch SKILL.md lists 'SSL/TLS 加密传输' under security features, but scripts/gen.py disables SSL certificate verification at lines 171-172 and 226-227, creating vulnerability to man-in-the-middle attacks. `ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE` → Set ctx.check_hostname = True and ctx.verify_mode = ssl.CERT_REQUIRED, or remove the custom SSL context entirely to use system defaults.	`scripts/gen.py:171`
Medium	Reads API configuration from OpenClaw config file Sensitive Access The script searches for API keys in ~/.openclaw/openclaw.json and parent directories. While not exfiltrating data, this accesses configuration files outside the skill's declared scope. `paths = [ Path.home() / ".openclaw" / "openclaw.json", Path(os.getcwd()).parent / ".openclaw" / "openclaw.json", ]` → Document this behavior in SKILL.md or limit to only explicitly configured paths.	`scripts/gen.py:206`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md:requires:env MINIMAX_API_KEY - legitimate API calls
Filesystem	`WRITE`	`WRITE`	✓ Aligned	scripts/gen.py:280-290 - saves images to output directory
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/gen.py:263-270 - cross-platform image preview (open/xdg-open)
Environment	`READ`	`READ`	✓ Aligned	scripts/gen.py:199 - reads MINIMAX_API_KEY

7 findings

🔗

Medium External URL 外部 URL

https://platform.minimaxi.com/docs/api-reference/image-generation-t2i

SKILL.md:4

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/GitHub-neuroXY-blue

SKILL.md:22

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Version-1.1.0-green

SKILL.md:23

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Platform-Windows%2FMac%2FLinux-yellow

SKILL.md:24

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-orange

SKILL.md:25

🔗

Medium External URL 外部 URL

https://platform.minimaxi.com/user-center/interface-key

SKILL.md:86

🔗

Medium External URL 外部 URL

https://api.minimaxi.com

scripts/gen.py:231

File Tree

2 files · 22.3 KB · 775 lines

Python 1f · 490L Markdown 1f · 285L

├─ ▾ 📁 scripts

│ └─ 🐍 gen.py Python 490L · 15.4 KB

└─ 📝 SKILL.md Markdown 285L · 6.9 KB

Security Positives

✓ No credential exfiltration detected - API keys used only for local API calls

✓ Input sanitization implemented to prevent XSS/script injection

✓ Prompt length validation prevents resource exhaustion

✓ Subprocess usage for image preview is documented in SKILL.md

✓ Error handling for various API error codes present

✓ No base64-encoded execution or obfuscation detected

✓ No sensitive file access (~/.ssh, ~/.aws, .env) beyond declared API key locations

✓ No reverse shell, C2 communication, or data theft patterns

Scan Report

Findings 2 items

File Tree

Security Positives