Minimax-Multimodal-Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent guide for using the MiniMax CLI, with expected but important credential and external-service risks.

Before installing, verify the mmx-cli npm package and consider pinning a trusted version. Prefer environment variables or a secure secret manager over putting API keys directly on command lines, protect ~/.mmx/credentials.json, rotate the key if exposed, avoid --yes for costly or account-changing actions unless explicitly approved, and only send files or prompts you are comfortable sharing with MiniMax.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The skill instructs use of raw API keys and notes that credentials are persisted to ~/.mmx/credentials.json, but it does not warn about secret handling, shell history leakage, or filesystem exposure. In an agent setting, this increases the chance that operators pass secrets on the command line or store them insecurely on shared systems.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal