Back to skill

Security audit

minimax-music

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its download helper can fetch any URL and write to any chosen local path without clear limits.

Review before installing. Use a dedicated MiniMax API key, run it only for trusted prompts and lyrics, avoid the generic download command except for trusted MiniMax music URLs, and save outputs only to a safe working directory with filenames you are willing to create or overwrite.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation describes use of environment variables and network access, but no explicit permissions are declared. That creates a transparency and governance problem: users and platforms cannot clearly assess that the skill will access secrets and make outbound requests before use. In this context, the risk is moderate because the skill is explicitly API-driven, but undeclared capabilities still increase the chance of unintended secret exposure or unreviewed network behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documentation claims a constrained music-generation workflow, but also exposes direct downloading from a user-supplied URL and describes behavior that is broader or inconsistent with the stated purpose. This mismatch is dangerous because users may trust the declared scope while the skill can perform arbitrary network fetches and local writes, which can enable SSRF-style internal requests, downloading untrusted content, or saving unexpected files. The skill context makes this more dangerous because media-download features naturally encourage users to pass external URLs and output paths.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI exposes a generic `download` command that accepts any user-supplied URL and writes the response to a local file, which goes beyond the declared MiniMax music-generation purpose. In an agent environment, this can be abused as an arbitrary network fetch primitive for accessing untrusted or internal resources and storing attacker-chosen content on disk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
`download_music()` performs arbitrary remote fetching from a caller-controlled URL using `requests.get()` and streams the result directly to a local path. This creates a server-side request forgery and arbitrary file-write primitive within the skill, especially risky if an agent can be induced to fetch internal endpoints or save unexpected content locally.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill explicitly says it can automatically download and save MP3 files locally, but it does not clearly warn about filesystem side effects or describe where files are written and under what controls. This can lead users to trigger local writes without understanding overwrite risk, storage location, or trust implications of downloaded content. The impact is lower than direct code execution, but it is still a real safety issue for user consent and safe operation.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.