Security audit

Mmx

Security checks across malware telemetry and agentic risk

Overview

This skill is a reference guide for using the MiniMax mmx CLI, with expected account, network, and file-output behavior for that purpose.

Install only if you intend to use MiniMax through the mmx CLI. Treat prompts, images, audio, files, and search queries as content that may leave your machine; avoid submitting secrets or sensitive personal/proprietary data, protect the API key, watch quota or billing, and choose output paths carefully before generating or downloading media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The activation text is broad enough to trigger on many general content-generation or image-analysis requests, which can cause the agent to invoke this skill in contexts the user did not clearly intend. Because the skill sends prompts and media to a remote authenticated CLI service, over-broad activation increases the chance of unnecessary data disclosure and tool misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The auth and usage examples encourage immediate login and remote API use without warning that prompts, files, images, audio, and search queries may be transmitted to a third-party service. In an agent setting, this omission is security-relevant because users may assume local processing and unknowingly expose secrets, personal data, or proprietary content.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.