ClawHub

MiniMax 媒体生成 Unified MiniMax media generation skill for audio, image, and video creation with a single command entrypoint.MiniMax Skill 是一个统一的媒体生成技能,把文本转语音、文生图、文生视频三类能力收口为一个入口。安装后只需配置自己的 MINIMAX_API_KEY,即可通过统一命令生成音频、图片和视频,适合在 OpenClaw / Codex 类环境中直接调用。

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MiniMax media-generation helper, but users should treat prompts and media references as data sent to a cloud service.

Install only if you are comfortable using MiniMax's cloud API. Keep MINIMAX_API_KEY out of source files, avoid sending confidential prompts or private media references unless approved, and write outputs to non-sensitive paths where overwrites would not matter.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'download_url' from requests.get (line 85, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
if not download_url:
        raise SystemExit(f"No download url returned: {json.dumps(file_data, ensure_ascii=False)}")

    video_response = requests.get(download_url, timeout=300)
    video_response.raise_for_status()
    output_path = Path(args.output)
    output_path.parent.mkdir(parents=True, exist_ok=True)
Confidence
94% confidence
Finding
video_response = requests.get(download_url, timeout=300)

Tainted flow: 'video_response' from requests.get (line 89, network input) → pathlib.Path.write_bytes (file write)

Medium
Category
Data Flow
Content
video_response.raise_for_status()
    output_path = Path(args.output)
    output_path.parent.mkdir(parents=True, exist_ok=True)
    output_path.write_bytes(video_response.content)
    print(str(output_path))
    return 0
Confidence
86% confidence
Finding
output_path.write_bytes(video_response.content)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation instructs users to run Python scripts that read an API key from the environment, write output files, access the network, and invoke shell commands, yet the skill declares no permissions. This creates a transparency and policy gap: operators may approve or execute the skill without understanding that it can make external API calls and write files, which increases the chance of unsafe deployment or misuse.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The script sends the user-provided prompt and optional image file reference to a third-party API without any explicit notice, consent prompt, or disclosure in the script itself. In an agent-skill context, users may assume local processing, so silent transmission of potentially sensitive creative prompts or file references creates a meaningful privacy and data-handling risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal