Security audit

MiniMax MMX

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only MiniMax CLI helper whose commands match its stated purpose, but users should know it sends chosen prompts and files to a third-party service.

Install only if you trust the MiniMax MMX CLI package and account setup. Avoid sending secrets, private documents, regulated data, or sensitive images/search queries unless you are comfortable transmitting that content to MiniMax, and prefer a limited-scope API key.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The skill description is broad enough to overlap with many common user requests such as image generation, search, chat, and media creation, which increases the chance of unintended invocation. In an agent setting, accidental triggering can cause unsolicited external API calls, unnecessary costs, and transmission of user data to a third-party service without clear user awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The document instructs users to authenticate with an API key and exposes multiple commands that send prompts, images, and other content to an external service, but it does not warn that user data will leave the local environment. In an agent workflow, this omission can lead to sensitive information, proprietary files, or personal data being transmitted to a third party without informed consent or proper handling expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal