mmMusicExpert
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent MiniMax music-generation skill, with expected notes about using a MiniMax API key, sending prompts or lyrics to MiniMax, and saving generated audio locally.
Before installing, be comfortable providing a MiniMax API key and sending your music prompts or lyrics to MiniMax. Use a safe output folder for generated audio and monitor your MiniMax account usage.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the MiniMax account associated with the API key, which may consume quota or incur charges.
The script reads a local MiniMax API key and uses it as a Bearer token for API requests. This is purpose-aligned, but it is sensitive account access and the registry requirements list no required env vars.
api_key = os.getenv("MINIMAX_MUSIC_API_KEY") ... "Authorization": f"Bearer {api_key}"Only set MINIMAX_MUSIC_API_KEY if you intend to use this provider, monitor account usage, and revoke or rotate the key if you stop using the skill.
Song prompts, lyrics, and related creative details may leave the local environment and be processed by MiniMax.
The skill sends constructed music-generation payloads, including visible prompt and lyrics fields, to MiniMax's external API. This is central to the skill's purpose but is still an external data flow.
API_URL = "https://api.minimaxi.com/v1/music_generation"
Avoid including private, confidential, or unreleased-sensitive material in prompts or lyrics unless you are comfortable sharing it with MiniMax under its terms.
If a sensitive or existing file path is chosen, the generated audio output could overwrite that file.
Generated or downloaded audio is written to the requested output path, creating parent directories if needed. This is expected for an audio-generation tool, but it can overwrite the chosen file.
path.parent.mkdir(parents=True, exist_ok=True)
path.write_bytes(data)Use a dedicated output folder and confirm the destination filename before running generation or download.