Back to skill

Security audit

minimax-img

Security checks across malware telemetry and agentic risk

Overview

This image skill mostly does what it says, but it also includes an undocumented text-to-speech command that sends text to MiniMax and saves audio files.

Review before installing. Use this only if you are comfortable sending image prompts to MiniMax/Hailuo infrastructure and storing generated files locally. Treat the included TTS mode as an undocumented extra capability; avoid sensitive text or remove/document that path before use, and keep MINIMAX_BASE_URL pointed at a trusted MiniMax endpoint.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Tainted flow: 'image_urls' from requests.post (line 37, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
return {"error": "No image URL returned"}
    
    # 下載圖片
    img_resp = requests.get(image_urls[0], timeout=60)
    if img_resp.status_code != 200:
        return {"error": f"Failed to download image: {img_resp.status_code}"}
Confidence
92% confidence
Finding
img_resp = requests.get(image_urls[0], timeout=60)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions even though it requires environment-variable access for API keys and network access to call MiniMax and download CDN-hosted files. This undermines informed consent and policy enforcement because users and tooling cannot accurately assess what the skill can access or where data will be sent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
A description-behavior mismatch is security-relevant here because the skill is presented as image-only, while static analysis indicates it also supports text-to-speech, accepts a separate command path, and writes audio files locally. Hidden or undeclared capabilities expand the attack surface, can bypass user expectations or review, and make it easier to exfiltrate data or perform unapproved actions under a misleading interface.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script advertises and implements text-to-speech functionality even though the skill metadata says the skill is for image generation. Capability drift is dangerous in agent skills because it expands the data types that may be transmitted externally and gives the installer materially different behavior than the manifest suggests.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This block calls a speech synthesis API unrelated to the declared image-generation purpose. Hidden or undeclared functionality increases the attack surface and may cause users or agents to send sensitive text to an external service they did not intend to use.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The command dispatcher exposes a tts mode despite the skill being presented as image generation only. In this skill context, undeclared speech generation is more dangerous because users and automated tooling may trust the narrower manifest and not evaluate the added data-export path.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The README omits important privacy and data-handling disclosures: user prompts are sent to a third-party service and generated images are stored locally. This can lead users to submit sensitive content or assume outputs are ephemeral, creating avoidable privacy, compliance, or data-retention risk even though the file does not appear overtly malicious.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill saves generated images locally and returns a remote CDN URL, but the description does not clearly warn users that files will be downloaded and stored on disk. While lower severity than hidden capabilities, this can still create privacy, disk-usage, and handling risks, especially in automated environments processing sensitive prompts or shared temporary directories.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The image-generation request sends user-provided prompts and the bearer token to an external service without any user-facing notice in the execution path. This is risky because prompts may contain sensitive information, and the lack of disclosure is especially relevant for an installable agent skill that may be invoked indirectly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The TTS path transmits arbitrary user text to an external API with no explicit warning. In context this is more concerning because the TTS capability is undeclared, so users may not realize their text is leaving the local environment at all.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.