minimax-tokenplan-tts

Security checks across malware telemetry and agentic risk

Overview

This text-to-speech skill is mostly purpose-aligned, but it handles API credentials in unsafe ways and disables normal connection security for streaming playback.

Review before installing. Do not paste a real MiniMax API key into SKILL.md or the Python files; prefer a temporary environment variable or command-line secret handling, and rotate any key already stored there. Avoid the streaming playback script until TLS verification is restored.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The init instructions tell operators to copy the API key directly into `scripts/generate.py`, `scripts/stream_play.py`, and a configuration table, which creates persistent plaintext secret storage inside the skill files. That sharply increases the chance of accidental disclosure through logs, backups, version control, workspace sharing, or later inspection by other agents/users.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The code explicitly disables TLS hostname verification and certificate validation for the WebSocket connection. This allows a man-in-the-middle attacker to impersonate the TTS service, intercept the API key and user text, and inject arbitrary audio data or protocol responses.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The client sends bearer credentials and user-supplied text over a WebSocket session whose certificate checks are disabled, and the script provides no meaningful warning to the operator. In this context, the combination materially increases the chance of credential theft and disclosure of potentially sensitive text content during transit.

Ssd 3

High

Confidence: 98% confidence
Finding: The initialization workflow explicitly instructs the agent to request the user's API key and then write it into scripts and a visible `## 配置` table. In the context of an agent skill, this is especially dangerous because natural-language instructions may cause secrets to be echoed into chat, stored in workspace files, exposed to other tools, or retained in shared history.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal