ClawHub

MiniMax Image Generator

Security checks across malware telemetry and agentic risk

Overview

This skill is an image generator that uses a MiniMax API key and saves generated images, with some broad activation language users should notice.

Install only if you want the agent to generate images through MiniMax. Prompts will be sent to MiniMax using your MINIMAX_API_KEY, and generated images may be saved under ~/.openclaw/workspace/images unless another output path is used.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger is extremely broad ('ANY TIME' a user asks to create or improve virtually any image-related asset), which makes the skill likely to activate on many ordinary requests where a narrower or more appropriate skill should handle the task. Overbroad routing can cause unintended tool use, unexpected external API calls, and bypass of safer task selection boundaries.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Claiming to cover 'all use cases' without scope limits encourages overreach and increases the chance the skill will be selected for tasks beyond its safe operational envelope. This can lead to misrouting, unnecessary tool invocation, and reduced opportunity for policy-aware handling of edge cases like sensitive content or ambiguous requests.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs file creation in the workspace but does not clearly warn that running it will write artifacts to disk or describe retention/overwrite behavior. In agent environments, undisclosed persistence can surprise users, consume storage, and create opportunities for unintended accumulation of generated content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal