ClawHub

MiniMax AI音乐生成

Security checks across malware telemetry and agentic risk

Overview

This music-generation skill mostly matches its stated purpose, but it ships with a built-in MiniMax API key and sends user prompts and lyrics to MiniMax, so it needs review before use.

Install only if you are comfortable reviewing and changing the credential behavior first. Prefer a version that removes the hardcoded MiniMax token, loads your own key from a secure configuration path, clearly warns that prompts and lyrics are sent to MiniMax, and asks before writing or overwriting local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill demonstrates network access, local file writes, and shell-adjacent behavior via ffmpeg, but does not declare corresponding permissions or provide clear execution boundaries. This is dangerous because users and the hosting platform cannot accurately assess or constrain the skill's capabilities, increasing the risk of unnoticed data exfiltration or unsafe local system interaction.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented behavior goes beyond a simple music-generation description by showing use of authenticated external API calls, remote file download, local file persistence, and ffmpeg-based processing, while the description does not clearly disclose these operational effects. This mismatch is dangerous because it can mislead users or reviewers about what the skill actually does, undermining informed consent and security review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises API-based lyric, song, and image generation but does not disclose that user prompts, lyrics, and possibly other creative content are sent to MiniMax's external services for processing. This can mislead users into sharing sensitive or proprietary content under the assumption processing is local, creating privacy, compliance, and data-handling risks.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger phrases include broad, common requests such as generating music or lyrics, which may cause the skill to activate unexpectedly in routine conversations. In a skill that sends prompts externally and writes files locally, accidental invocation increases privacy and operational risk because user content could be transmitted or files created without clear intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes uploading user prompts and lyrics to a third-party API and downloading generated audio for local storage, but it does not include a clear user-facing warning or consent flow. This is dangerous because users may unknowingly share sensitive creative content or personal data with an external service and cause local file creation on the host system.

Missing User Warnings

High
Confidence
99% confidence
Finding
A live API credential is hardcoded directly in the script and then used for authenticated requests. Anyone with access to the code can reuse the key to consume the API, incur charges, impersonate the skill, or access associated account resources.

External Transmission

Medium
Category
Data Exfiltration
Content
"prompt": "给唐晓加油打气的古风歌曲,温暖励志",
    "title": "赠唐晓"
}
r = requests.post("https://api.minimaxi.com/v1/lyrics_generation",
    headers=headers, json=lyrics_payload, timeout=60)
lyrics = r.json()["lyrics"]
Confidence
88% confidence
Finding
requests.post("https://

External Transmission

Medium
Category
Data Exfiltration
Content
"lyrics": lyrics,
    "output_format": "url"
}
r = requests.post("https://api.minimaxi.com/v1/music_generation",
    headers=headers, json=song_payload, timeout=600)
audio_url = r.json()["data"]["audio"]
Confidence
89% confidence
Finding
requests.post("https://

External Transmission

Medium
Category
Data Exfiltration
Content
]
urls = []
for p in prompts:
    r = requests.post("https://api.minimaxi.com/v1/music_generation",
        headers=headers,
        json={"model":"music-2.6","prompt":p,"is_instrumental":True,"output_format":"url"},
        timeout=600)
Confidence
83% confidence
Finding
requests.post("https://

External Transmission

Medium
Category
Data Exfiltration
Content
"prompt": "给唐晓加油打气的古风歌曲,温暖励志",
    "title": "赠唐晓"
}
r = requests.post("https://api.minimaxi.com/v1/lyrics_generation",
    headers=headers, json=lyrics_payload, timeout=60)
lyrics = r.json()["lyrics"]
Confidence
88% confidence
Finding
requests.post("https://api.minimaxi.com/v1/lyrics_generation", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"lyrics": lyrics,
    "output_format": "url"
}
r = requests.post("https://api.minimaxi.com/v1/music_generation",
    headers=headers, json=song_payload, timeout=600)
audio_url = r.json()["data"]["audio"]
Confidence
89% confidence
Finding
requests.post("https://api.minimaxi.com/v1/music_generation", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
]
urls = []
for p in prompts:
    r = requests.post("https://api.minimaxi.com/v1/music_generation",
        headers=headers,
        json={"model":"music-2.6","prompt":p,"is_instrumental":True,"output_format":"url"},
        timeout=600)
Confidence
83% confidence
Finding
requests.post("https://api.minimaxi.com/v1/music_generation", headers=headers, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"prompt": "给唐晓加油打气的古风歌曲,温暖励志",
    "title": "赠唐晓"
}
r = requests.post("https://api.minimaxi.com/v1/lyrics_generation",
    headers=headers, json=lyrics_payload, timeout=60)
lyrics = r.json()["lyrics"]
Confidence
88% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
"lyrics": lyrics,
    "output_format": "url"
}
r = requests.post("https://api.minimaxi.com/v1/music_generation",
    headers=headers, json=song_payload, timeout=600)
audio_url = r.json()["data"]["audio"]
Confidence
89% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
]
urls = []
for p in prompts:
    r = requests.post("https://api.minimaxi.com/v1/music_generation",
        headers=headers,
        json={"model":"music-2.6","prompt":p,"is_instrumental":True,"output_format":"url"},
        timeout=600)
Confidence
83% confidence
Finding
https://api.minimaxi.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal