minimax-media (James)

This skill appears to do what it says (image generation and TTS via MiniMax) but there are a few things to consider before installing or running it: - Required secret not declared in registry metadata: SKILL.md and README require MINIMAX_API_KEY (and optional MINIMAX_BASE_URL), but the registry metadata lists no env vars. Expect to set MINIMAX_API_KEY in your environment; the platform may not prompt for it automatically. Treat that API key as a secret. - Source trust: the skill's source is 'unknown' in the metadata. Verify you trust the author or the package distribution before providing a live API key. - Network fetches / SSRF risk: the script downloads the first image URL returned by the API. If the API or returned URLs are malicious (or if you point MINIMAX_BASE_URL at an arbitrary endpoint), the script could request arbitrary HTTP endpoints, including internal addresses. If you are in a sensitive network, run the script in an isolated/sandbox environment or modify it to validate/whitelist hosts before downloading. - Temp-file handling: the script uses tempfile.mktemp (deprecated/insecure). Prefer running it in a safe environment or patch the script to use tempfile.NamedTemporaryFile or create files in a controlled directory to avoid race conditions. - Dependency: the script requires the 'requests' Python package. Install in a virtualenv to avoid system-wide changes (pip install requests). - Mitigations: only provide an API key with the minimal privileges available, rotate keys regularly, run the script inside a container or restricted environment if you are unsure, or inspect/modify the script to add host validation before downloading returned URLs and to replace mktemp with a safer pattern. If you want this skill to be more trustworthy before installing, ask the publisher to fix the registry metadata to include MINIMAX_API_KEY as the primaryEnv, and consider requesting a signed/reputable package distribution or a publisher identity you trust.