Back to skill

Security audit

MiniMax PDF OCR

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform MiniMax-based OCR as advertised, but it uploads document page images to a third-party API and runs a shell command on user-provided paths without strong disclosure or guardrails.

Review before installing. Use it only if you are comfortable sending the full contents of processed PDFs to MiniMax, and avoid confidential, regulated, customer, or financial documents unless that external processing is approved. Treat file paths carefully because the PDF conversion command is invoked through a shell.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates use of environment variables and outbound API access, but the skill declares no corresponding permissions. This creates a transparency and review gap: users and platforms may not realize the skill can read secrets and transmit document-derived data externally. In a document OCR skill, that mismatch is meaningful because users may process sensitive PDFs while assuming the skill has limited capabilities.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly describes sending PDF/image content to the MiniMax Vision API, but it does not give a clear privacy warning or require explicit user acknowledgement before transmission. This is dangerous because OCR inputs commonly contain confidential, personal, financial, or regulated information, and users may not understand that full document contents leave the local environment and are processed by a third party.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code base64-encodes images derived from the user's PDF and sends them to the external MiniMax API, but the tool description and runtime UX do not prominently warn that document contents leave the local system. This creates a real privacy and data-handling risk, especially if users process sensitive PDFs under the assumption the OCR is local.

External Transmission

Medium
Category
Data Exfiltration
Content
const imageData = fs.readFileSync(imagePath);
  const base64Image = imageData.toString('base64');
  
  const response = await fetch('https://api.minimax.chat/v1/text/chatcompletion_v2', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
Confidence
95% confidence
Finding
fetch('https://api.minimax.chat/v1/text/chatcompletion_v2', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
const imageData = fs.readFileSync(imagePath);
  const base64Image = imageData.toString('base64');
  
  const response = await fetch('https://api.minimax.chat/v1/text/chatcompletion_v2', {
    method: 'POST',
    headers: {
      'Content-Type': 'application/json',
Confidence
95% confidence
Finding
https://api.minimax.chat/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
pdf-ocr-minimax.js:36

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
pdf-ocr-minimax.js:14