MiniMax PDF Analysis V2

Security checks across malware telemetry and agentic risk

Overview

The PDF analysis features are mostly legitimate, but the skill also includes under-disclosed web search and arbitrary image upload capabilities that users should review before installing.

Install only if you are comfortable using your MiniMax API key and sending selected PDF pages, prompts, and potentially local image files to MiniMax. Review or remove the JavaScript helper if you only want PDF analysis, because it also provides web search and arbitrary image-upload tooling.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill metadata declares runtime requirements but does not declare permissions despite requiring environment access, shell execution, file writes, and network use. This reduces transparency and weakens policy enforcement, making it easier for a user or platform to invoke a capability-rich skill without understanding its true access level.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The documented purpose is PDF analysis, but the static findings indicate additional behaviors such as web search and exposure of broader MiniMax tools. Undocumented expansion of capability increases the attack surface and can enable unintended data flows or actions outside the user's expected scope, especially when combined with networked APIs.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The implementation materially differs from the declared PDF-analysis purpose by exposing generic web search and image-understanding capabilities. In an agent environment, this expands the skill's authority beyond user expectations and can enable unintended data exfiltration, browsing, or prompt-driven misuse under the guise of a PDF tool.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: A web-search tool is not necessary for the stated PDF-analysis use case and introduces outbound network access to arbitrary queries. That creates unnecessary attack surface, including retrieval of untrusted content and covert use of the skill for external lookups unrelated to the user's intended document processing task.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The file header and tool documentation advertise network search and generic image understanding, which contradicts the manifest's PDF-analysis framing. This kind of capability mismatch is security-relevant because reviewers and users may grant trust or permissions based on the manifest while the code performs broader actions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README advertises vision analysis through the MiniMax VLM API but does not clearly disclose that PDF page images and document contents are transmitted to a third-party remote service. This can cause accidental exposure of sensitive or regulated data because users may assume analysis happens locally after page conversion.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly sends PDF-derived content to an external MiniMax API but does not prominently warn users about third-party data transmission, retention, or privacy implications. Users may process sensitive PDFs assuming local analysis, leading to accidental disclosure of confidential information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The vision path sends base64-encoded page images and the user's prompt to a third-party MiniMax API, which can expose sensitive document contents outside the local environment. The code performs this transmission without an explicit warning, confirmation step, or data-handling notice in the execution path, increasing the risk of accidental data exfiltration when users analyze confidential PDFs.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The tool reads arbitrary local image files, base64-encodes them, and sends them to an external API without an explicit user-facing disclosure at the point of use. In the context of an agent skill, this can cause inadvertent exfiltration of sensitive local data if a user or downstream agent passes a local path expecting only local processing.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal