ClawHub

Minimax Tools

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MiniMax API wrapper, but users should be careful because selected prompts, images, audio, lyrics, and voice samples are sent to MiniMax.

Install only if you intend to use MiniMax’s external service. Use a dedicated MiniMax API key if possible, leave MINIMAX_BASE_URL unset unless you trust the endpoint, and do not submit confidential, regulated, copyrighted, or third-party voice/audio/image content unless you have authorization and consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes voice cloning and audio upload/download workflows but does not warn users about consent, impersonation, biometric privacy, or third-party data transfer to MiniMax. In a skill that directly handles speech synthesis and cloned voices, this omission increases the likelihood of misuse or accidental processing of sensitive voice data without proper authorization.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README documents image, video, and music workflows that accept local files, prompts, and media inputs for processing by an external API, yet it provides no explicit notice that user content may leave the local environment. This is risky because users may upload private images, audio, lyrics, or other sensitive material without understanding the transfer, storage, or downstream handling by the external provider.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The voice cloning workflow necessarily uploads source audio, and possibly prompt audio, to the external MiniMax API, but the skill text does not clearly warn users before use. This creates a privacy and consent risk because users may submit sensitive biometric voice data or third-party recordings without understanding that the content leaves the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed to send prompts and media to MiniMax's external APIs for TTS, image, video, and music generation, but it does not clearly disclose this data flow in the description. Users may incorrectly assume the wrappers are purely local because they are implemented as local Python scripts, leading to accidental disclosure of sensitive text, images, audio, or video content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The notes document voice cloning workflows that involve uploading source and prompt audio, but they omit any warning that this data may contain biometric identifiers and highly sensitive personal information. In a skill explicitly designed to operationalize voice cloning, that omission increases the chance of misuse or uninformed handling of consent-sensitive data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file thoroughly describes external MiniMax API endpoints for TTS, cloning, image, video, and music generation, but does not clearly disclose that prompts, images, audio, and related content are transmitted to an external service. This can lead users or downstream agents to send sensitive local content off-system without informed awareness, especially because the skill is framed as a convenient local wrapper.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script accepts a local path for --subject-reference, reads the file, converts it to a data URL, and embeds the full image contents into the request body sent to the remote MiniMax API. In a tool context, this can cause unintentional exfiltration of local files because there is no explicit user-facing disclosure, confirmation, or restriction when local images are uploaded.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script transmits user-supplied --text to MiniMax via a remote API call, but this file provides no user-facing notice that prompt contents leave the local environment. In a tool explicitly designed for direct third-party API integration, this is a real privacy and data-handling risk because users may enter sensitive text assuming local processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal