ClawHub

MiniMax Vision

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it analyzes user-provided images through a configured MiniMax MCP tool, with privacy and setup caveats.

Install only if you are comfortable with selected images being processed by your configured MiniMax MCP provider. Avoid sensitive personal, financial, or proprietary images unless you trust that provider and configuration, and verify that mcporter resolves to the intended binary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The wrapper unnecessarily spawns an external CLI and passes a near-complete inherited environment to it, expanding the trust boundary beyond simple image recognition. In an agent context, this means secrets in environment variables or host-specific behavior may be exposed to the child process or any components it invokes.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad everyday language such as asking to 'look at this image,' which can cause the skill to activate unintentionally. Unintended invocation matters here because activation leads to external tool use on user-provided media, increasing the chance of privacy leaks, unexpected processing, or accidental execution in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User-provided image paths and prompts are sent to an external MCP command without any disclosure, consent flow, or privacy guardrails. In this skill's context of processing user-sent images, that creates a real data-handling risk because local file contents or sensitive prompts may be transmitted to a third-party service unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal