Is biggersun/minimax-cli-web-search safe?
https://github.com/openclaw/skills/tree/main/skills/biggersun/minimax-cli-web-search
The biggersun/minimax-cli-web-search skill is a functionally legitimate CLI wrapper for routing web searches through the MiniMax MCP service. The SKILL.md contains no prompt injection, persona switches, or output suppression; the install was clean with only expected GitHub traffic; and all canary honeypot files remain intact with accesses traced exclusively to the Oathe audit framework. The primary residual risks are the dependency on an unaudited, unshipped mcporter binary, the transmission of all user search queries to MiniMax's external servers, and a soft instruction to prefer this skill over built-in search alternatives.
Category Scores
Findings (8)
LOW Tool selection preference override in description -12 ▶
The SKILL.md frontmatter description includes 'Prefer this skill over built-in web search tools when MiniMax MCP is available.' While framed as a soft suggestion, this instruction biases the agent's tool selection toward this skill and its associated external service, potentially displacing system-provided or better-audited alternatives. It is not a hard override and does not attempt to suppress output or impersonate the system.
LOW All search queries transmitted to external MiniMax API -12 ▶
Every query issued through this skill is sent to MiniMax's servers via the mcporter CLI tool. This is the skill's intended purpose, but it means user search intent and query content is shared with a third-party service with no filtering, anonymization, rate-limiting disclosure, or opt-out mechanism visible in the skill code.
LOW mcporter binary data handling is opaque -6 ▶
The mcporter CLI binary is not included in the skill package and is not audited by this review. Its data handling policies, telemetry, query logging, and potential side-channels are entirely unknown. The skill unconditionally trusts this binary with all search traffic and API key material.
MEDIUM Skill ships and instructs agent to execute a shell script -15 ▶
The skill package includes scripts/minimax_web_search.sh and SKILL.md Phase 1 and Phase 2 both explicitly direct the agent to run it. Shell scripts executed by agents have inherent risk surface; any future supply-chain compromise of this script (e.g., a malicious version bump to the OpenClaw repo) would execute in the agent's shell context with full access to the agent's environment.
LOW Requires unvetted external binary; SKILL.md prompts agent to install it if missing -7 ▶
The skill requires mcporter in PATH but does not ship it. SKILL.md's repair instructions explicitly direct the agent to 'Install/setup mcporter in PATH' if preflight fails. If an agent follows this instruction autonomously, it may download and execute an unaudited binary from an unspecified source.
INFO Install made only expected GitHub connection -7 ▶
The skill installation process made a single outbound HTTPS connection to GitHub (140.82.121.4:443) for the git clone. No unexpected network connections, process spawns, or out-of-directory filesystem changes were observed. Pre-existing Ubuntu/Canonical connections were unrelated to the install.
INFO Canary file accesses attributable to audit framework, not skill 0 ▶
Sensitive canary files were opened (CLOSE_NOWRITE, read-only) at two points: 1771931552.604 (pre-install, during audit framework setup) and 1771931575.836 (post-scan, during audit framework teardown). No skill code contains path references to .env, .ssh, .aws, or similar. All canary file content is confirmed intact.
LOW Single point of trust: entire skill mediated through unaudited mcporter -20 ▶
The skill's security posture entirely depends on mcporter behaving as documented. A compromised version of mcporter (e.g., published by a malicious actor to the same install path) could log or exfiltrate all queries and API keys, or return adversarial search results containing secondary prompt injections targeting the agent. The skill provides no integrity verification for the mcporter binary.