Minimax Cp

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the advertised MiniMax search and image-analysis tasks, but it embeds a reusable API key and runs an unpinned external MCP package, so users should review it before installing.

Install only if you trust the publisher, the bundled MiniMax credential arrangement, and the external `minimax-coding-plan-mcp` package. Prefer a revised version that removes the hardcoded key, requires a user-provided `MINIMAX_API_KEY`, pins the MCP dependency, and clearly warns that searches, prompts, image URLs, and possibly image contents are sent to MiniMax.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill invokes local shell commands and relies on environment-based secrets/capabilities, but it does not declare those permissions. This reduces transparency and prevents users or policy systems from accurately understanding that the skill can execute subprocesses and access sensitive configuration, which can lead to unintended command execution or secret exposure in a broader agent environment.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The declared purpose suggests simple search and image understanding, but the implementation also hardcodes/uses an API key and spawns an external MCP service subprocess. This mismatch is dangerous because users may consent to a narrow feature set without realizing the skill performs privileged operations and transmits data through additional external components, increasing the risk of credential leakage and unauthorized data handling.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script hardcodes a live-looking API credential directly in source and exports it into the process environment. Hardcoded secrets are highly dangerous because anyone with code access can reuse the credential, and downstream subprocesses inherit it, increasing the chance of leakage, abuse, and unauthorized billing or data access.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script hardcodes a live external API credential directly in source code and configures an external service endpoint, which creates immediate secret exposure risk if the repository, package, or logs are accessed by others. In a skill intended for image understanding, embedding the credential is especially dangerous because any user or downstream environment with code access can reuse the key to make unauthorized API calls.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Setting a hardcoded API key in code is a true secret-management vulnerability because it exposes privileged access to an external service to anyone who can read or obtain the file. The skill context makes this more dangerous, not less, because the manifest frames the feature as user-facing image/search functionality while silently bundling reusable service credentials.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad, everyday terms like '搜索' and '查找' without clear scoping, which can cause the skill to activate in situations the user did not specifically intend. In an agent setting, overbroad activation is risky because it may automatically send user queries or referenced content to external services, expanding data exposure beyond user expectations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation does not warn users that search terms, image paths, and image URLs may be sent to an external service. This is dangerous because users may provide sensitive local file paths, private URLs, or confidential queries without realizing that this information will leave the local environment and be processed by a third party.

Missing User Warnings

High

Confidence: 98% confidence
Finding: Injecting a hardcoded credential into the environment without disclosure or consent makes the secret available to child processes and any code running in that execution context. In a skill that brokers external API calls, this expands the blast radius of secret exposure and makes accidental logging or exfiltration easier.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: This skill forwards user-supplied queries to an external network-backed service via the MCP server, but the script gives no explicit disclosure at runtime that queries leave the local environment. In a search skill this behavior is expected, but it still has privacy implications if users enter sensitive or proprietary information.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The code both embeds a secret and propagates it into a child process environment, expanding exposure beyond the parent process and increasing the number of places the credential may be inspected, dumped, or misused. Users are not informed that a privileged third-party credential is being used on their behalf, which compounds the security and trust risk.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script forwards user-supplied prompts and image sources to an external API service, which is a data-exposure/privacy issue when done without disclosure or consent. Given that images may contain sensitive personal or proprietary information, undisclosed transmission to a third party materially increases risk in this skill context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal