ClawHub

Kai Minimax Tts

Security checks across malware telemetry and agentic risk

Overview

This MiniMax voice skill does what it says, but users should know TTS text is sent to MiniMax and local transcript/audio files are saved.

Install only if you are comfortable sending text you ask it to speak to MiniMax. Protect the MINIMAX_API_KEY, avoid using it for secrets or regulated content unless approved, and delete the generated audio/transcript files if they contain sensitive information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation instructs users to execute shell commands and declares required binaries, but it does not declare any corresponding permissions. This creates a trust and governance gap: users or platforms may underestimate the skill's execution capabilities, making review, sandboxing, and policy enforcement weaker than they should be.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends user-provided text and audio to the external MiniMax API, but the description does not warn users that their content leaves the local environment. This can lead to unintentional disclosure of sensitive prompts, recordings, or transcripts to a third party, especially because voice and transcription workflows often handle personal or confidential data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script transmits user-supplied text and an API bearer token to an external service without any explicit disclosure, consent flow, or data-handling notice. In an agent skill context, users may assume local processing, so silently exfiltrating prompt contents to a third party can expose sensitive data and create privacy/compliance risk.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal