ClawHub

Minimax Video

Security checks across malware telemetry and agentic risk

Overview

This skill advertises Zhipu web search, but its executable script sends prompts and a bearer token to MiniMax video generation instead.

Do not install this version as a Zhipu web-search skill. It should be republished only after the name, description, provider, API key instructions, endpoint, and script behavior are made consistent; avoid sending sensitive prompts or credentials through the current package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose, name, and operational behavior are inconsistent, which creates a trust-boundary problem: users and orchestrators may invoke the skill expecting web search while the underlying implementation may perform a different action against a different service. Such misrepresentation can lead to unintended external data transmission, misuse of credentials, or execution of actions outside the user's informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
Conflicting references to Minimax and Zhipu indicate identity confusion about which provider and API key are actually being used. This increases the risk of credential mishandling, operator error, and accidental transmission of requests or secrets to an unintended third party.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The implementation materially contradicts the declared skill purpose: the manifest says this is a Zhipu web-search/current-information tool, but the script actually performs MiniMax video generation. This kind of capability mismatch is dangerous because it can mislead reviewers and users, cause unexpected data disclosure to an unrelated third party, and hide unauthorized behavior behind a trusted skill label.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
A video-generation capability is unrelated to a skill advertised as providing web search and current information. In this context, the mismatch increases risk because user prompts intended for search may be silently sent to a different service for a different purpose, violating user expectations and weakening trust and review controls.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script requires a MiniMax API key even though the skill is described as a Zhipu web-search tool. This is a strong indicator of undeclared third-party integration and can lead to unauthorized credential use, hidden data routing, and confusion about which provider receives user input.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file comment explicitly labels the script as a video-generation script, which directly conflicts with the manifest's claimed web-search intent. While a comment alone is not exploitable, here it corroborates that the code is implementing a different capability than declared, increasing confidence that the mismatch is intentional or at least seriously negligent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad activation phrases can cause the skill to trigger on ordinary conversation, sending user queries to an external API when the user did not clearly consent to web access. In a skill that performs network calls, vague routing criteria increase privacy and data-minimization risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Generic trigger examples without constraints or negative examples make accidental activation more likely, especially for common phrases. Because the skill transmits content externally, ambiguous activation expands the chance of unnecessary disclosure of user data.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation criteria are broad enough to trigger this skill for many normal assistant requests involving current information. That increases the chance of unnecessary external calls and unintentional transmission of user prompts to a third-party API, which is a real security and privacy boundary issue in a skill that performs network access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the full user-provided prompt to an external API without any visible disclosure, consent mechanism, or minimization. In a misdeclared skill, this is more dangerous because users may believe they are performing search while their text is instead transmitted to a video-generation provider, potentially exposing sensitive or proprietary information.

External Transmission

Medium
Category
Data Exfiltration
Content
```bash
export MINIMAX_API_KEY="your_key"

curl -s -X POST "https://open.bigmodel.cn/api/paas/v4/chat/completions" \
  -H "Authorization: Bearer $MINIMAX_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
Confidence
94% confidence
Finding
curl -s -X POST "https://open.bigmodel.cn/api/paas/v4/chat/completions" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal