ClawHub

minimax-mcp

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide legitimate search and image-analysis features, but it may send local images and queries to external providers without clear user consent or privacy notice.

Review this skill before installing if you may analyze private screenshots, documents, photos, or sensitive research queries. Use it only when you are comfortable sending that content to the named external providers, and avoid local images containing credentials, personal data, internal documents, or account screens unless you have approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly supports sending local image files or image URLs to an external image-understanding service, but the documentation does not warn users that image contents, metadata, or sensitive screenshots may be transmitted to a third party. In a tool intended for search and image analysis, this omission materially increases the risk of accidental disclosure of private data, especially because users may assume local files are processed locally.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented fallback behavior automatically redirects searches to Brave Search or Qwen Chat when MiniMax is unavailable, but it does not warn that user queries may be sent to different third-party services with different privacy practices. This can expose sensitive prompts or research queries to unintended external providers without informed user consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports sending local image files and image URLs to external analysis services, but it does not warn users that the image contents will leave the local environment. This creates a privacy and data-handling risk because screenshots and local images often contain sensitive information such as credentials, personal data, internal documents, or system details that could be exposed to third-party providers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal