by 安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what it says (opens the MiniMax billing page and scrapes plan/usage info), but the code also extracts API key-like strings from the page without documenting this in SKILL.md — a potentially sensitive, disproportionate action.
评估建议
This skill will open a local browser and scrape the MiniMax billing page for plan/usage information. However, its code also searches the page text for API-key-like strings (regex for 'sk-cp-...') and will print/return any matches — a sensitive behavior that is not documented in SKILL.md. Before installing or running: 1) Inspect the script yourself or ask the publisher to explicitly disclose API-key extraction and whether keys are stored, transmitted, or logged. 2) If you want only plan/usage inf...详细分析 ▾
ℹ 用途与能力
The skill's stated purpose is to retrieve MiniMax plan/usage info; the script automates a browser to open the MiniMax billing page and scrape text, which is a plausible implementation. However, the code also searches for API keys (pattern sk-cp-...) which is not mentioned in the SKILL.md outputs — this extra capability should be explicitly documented.
⚠ 指令范围
SKILL.md instructs the user to run the provided script and describes returned fields (plan name, quota, usage); it does not mention extracting API keys. The script evaluates page DOM and runs regex to find API keys and returns/prints them. That is scope creep: the runtime instructions do not disclose that secrets visible in the page will be extracted and printed.
✓ 安装机制
No install spec in the registry; the script requires the third-party package Playwright and a browser runtime (the script prints a message to pip install/playwright install chromium). This is expected for browser automation and no arbitrary remote downloads or obscure installers are embedded in the skill bundle.
⚠ 凭证需求
The skill does not request environment variables, which is good, but it programmatically searches the page for API keys and prints them. Extracting and exposing API keys (or other secrets displayed in the page) is a sensitive action not justified or disclosed by the SKILL.md output list.
✓ 持久化与权限
The skill is not always-enabled and does not request persistent privileges or modify other skills or system-wide configuration. It runs as an on-demand local script and opens a visible browser instance (headful).
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/11
- Initial release of minimax-plan-checker. - Allows users to query MiniMax platform plan details, usage, and billing info. - Supports both browser-based automatic retrieval and manual instructions. - Output includes plan name, quota details, and usage statistics. - Requires user to log in to their MiniMax account if not already logged in.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install minimax-plan-checker
镜像加速npx clawhub@latest install minimax-plan-checker --registry https://cn.clawhub-mirror.com
技能文档
获取 MiniMax 平台的套餐名称、额度、当前使用情况。
使用方式
方式一:使用浏览器自动登录获取(推荐)
python C:\Users\YangF\.openclaw\workspace\skills\minimax-plan-checker\scripts\get_plan.py
方式二:在对话中直接使用
告诉用户需要打开浏览器,询问是否要自动打开 MiniMax 平台页面获取套餐信息。
输出格式
脚本会输出以下信息:
- 套餐名称:如 "Chat API" / "MoE API" 等
- 额度信息:总额度、已使用额度、剩余额度
- 使用统计:API 调用次数、令牌 使用量等
注意事项
- 需要用户已登录 MiniMax 账号
- 如果未登录,浏览器会打开登录页面,用户登录后再运行脚本
- 页面 URL: https://platform.minimaxi.com/用户-center/payment/coding-plan
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制