Back to skill

Security audit

Minimax Token

Security checks across malware telemetry and agentic risk

Overview

This is a small, disclosed MiniMax quota-checking skill with optional Telegram notifications and no hidden executable artifact in the package.

Before installing, decide whether you are comfortable providing a MiniMax API key and, if enabling Telegram alerts, exposing quota status, bot/chat identifiers, and notification timing to Telegram. The submitted artifact does not include the referenced script or systemd service, so review any separate implementation before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly supports sending account usage/quota information through Telegram, a third-party service, but does not disclose the privacy and metadata exposure implications. Even if the message content seems limited to quota status, operational details such as account usage patterns, bot identifiers, chat IDs, and notification timing can leak sensitive business or personal information to an external platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.