MiniMax Search & VLM

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed MiniMax API helper for web search and image analysis, with privacy risk when users send images or queries to MiniMax.

Install this only if you intend to use MiniMax for web search and image analysis. Use a dedicated API key if possible, keep the local key file private, and do not analyze private screenshots, documents, photos, or URLs unless you are comfortable sending their contents to MiniMax.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill includes an example that base64-encodes a local image file and sends it to a remote MiniMax API, but it does not clearly warn that local file contents leave the machine and are disclosed to a third party. This can cause unintended exfiltration of sensitive images, screenshots, or documents if users treat the example as routine local analysis.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash source ~/.openclaw/config/minimax-api.env curl -s "https://example.com/image.jpg" -o /tmp/tmp_img.jpg curl -s "https://api.minimaxi.com/v1/coding_plan/vlm" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \
Confidence: 92% confidence
Finding: curl -s "https://example.com/image.jpg" -o /tmp/tmp_img.jpg curl -s "https://api.minimaxi.com/v1/coding_plan/vlm" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json

External Transmission

Medium

Category: Data Exfiltration
Content: # 分析本地图片 IMG_PATH="/path/to/image.jpg" curl -s "https://api.minimaxi.com/v1/coding_plan/vlm" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"prompt\":\"描述这张图片\",\"image_url\":\"data:image/jpeg;base64,$(base64 -w0 $IMG_PATH)\"}"
Confidence: 97% confidence
Finding: https://api.minimaxi.com/

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash source ~/.openclaw/config/minimax-api.env curl -s "https://example.com/image.jpg" -o /tmp/tmp_img.jpg curl -s "https://api.minimaxi.com/v1/coding_plan/vlm" \ -H "Authorization: Bearer $MINIMAX_API_KEY" \ -H "Content-Type: application/json" \ -d "{\"prompt\":\"描述这张图片\",\"image_url\":\"data:image/jpeg;base64,$(base64 -w0 /tmp/tmp_img.jpg)\"}"
Confidence: 93% confidence
Finding: https://api.minimaxi.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal