by 安全扫描
OpenClaw
可疑
medium confidenceThe skill does what it claims (automates a local browser to read MiniMax usage) but includes sensitive behaviors—saving plaintext credentials to a workspace file and operating on the Default browser profile—that increase risk and deserve user review.
评估建议
This skill does what it says — it automates your local browser to log in and scrape MiniMax usage — but it stores credentials in plaintext in ~/.openclaw/workspace/memory/minimax-login.txt and uses your Chrome 'Default' profile (which may expose other logged-in sessions). Before installing: (1) inspect or run the scripts locally to confirm behavior; (2) consider creating and using a dedicated browser profile for this skill instead of 'Default'; (3) avoid storing passwords — remove or rotate the ...详细分析 ▾
✓ 用途与能力
Name/description match implementation: scripts automate a local Chrome session (via browser-use) to open the MiniMax coding plan page and scrape token usage. No unrelated cloud credentials, binaries, or external services are requested.
⚠ 指令范围
SKILL.md and scripts instruct the agent to open the user's local Chrome profile, perform login flows, scrape DOM text, and save login credentials to a local memory file (~/.openclaw/workspace/memory/minimax-login.txt). Saving credentials and using the Default profile expands scope beyond read-only querying and may expose other logged-in accounts or data in that profile.
✓ 安装机制
No install spec or remote downloads; this is instruction-only plus included scripts. No remote code fetches or archive extraction were found in the provided files.
⚠ 凭证需求
The skill requests no environment variables, which is appropriate, but it writes/reads a plaintext credential file inside the user's workspace and operates on the browser 'Default' profile. Persisting passwords in plaintext and using the main browser profile are disproportionate from a least-privilege perspective and increase exposure.
ℹ 持久化与权限
always is false and the skill does not attempt to modify other skills or global agent settings. It does persist credentials to a memory file under the user's workspace (and sets chmod 600), which is normal for convenience but is persistent sensitive state that the user should be aware of.
⚠ query-quick.js:14
Shell command execution detected (child_process).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/9
- No code or documentation changes detected in this version. - Functionality and usage instructions remain unchanged.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install minimax-token-used-query
镜像加速npx clawhub@latest install minimax-token-used-query --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制