ClawHub

MiniMax Music Generation

Security checks across malware telemetry and agentic risk

Overview

This is a visible MiniMax music-generation skill with expected remote API use and optional sharing guidance, not hidden or destructive behavior.

Install only if you are comfortable sending prompts and lyrics to MiniMax under your API key, and avoid submitting private or unpublished material unless MiniMax's terms meet your needs. Treat Feishu sharing as a separate explicit action: verify the recipient, token scope, and file content before uploading or sending generated audio.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The Feishu upload and message-sending section extends the skill from music generation into third-party file exfiltration/messaging. That is outside the narrowly stated purpose and can enable unintended transmission of generated or local files to external recipients if copied into agent behavior.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger phrases include broad everyday wording such as 'create music' and '帮我写首歌', which can cause the skill to activate in contexts where the user did not intend external API use, downloads, or file handling. Over-broad triggering increases the chance of accidental invocation and unintended data transmission or spending quota.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation instructs downloading audio and uploading/sending it via Feishu without clearly warning the user that data will be transmitted to a third party. Missing disclosure and consent around external transmission can lead to privacy violations, especially if prompts, lyrics, or generated content are sensitive.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool sends user prompts and lyrics content to a third-party API, but the CLI does not clearly warn users that potentially sensitive text will leave the local environment. In a music-generation skill, users may paste unpublished lyrics or private content, so silent remote transmission creates a real privacy and data-handling risk even if it is expected functionally.

External Transmission

Medium
Category
Data Exfiltration
Content
"output_format": output_format
        }
        
        response = requests.post(
            MUSIC_GENERATION_URL,
            json=payload,
            headers=self._headers(),
Confidence
94% confidence
Finding
requests.post( MUSIC_GENERATION_URL, json=

External Transmission

Medium
Category
Data Exfiltration
Content
"prompt": prompt
        }
        
        response = requests.post(
            LYRICS_GENERATION_URL,
            json=payload,
            headers=self._headers(),
Confidence
93% confidence
Finding
requests.post( LYRICS_GENERATION_URL, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal