Security audit

minimax-video

Security checks across malware telemetry and agentic risk

Overview

This is a coherent MiniMax video-generation helper that uses the expected cloud API and can save generated videos locally.

Install if you are comfortable using a MiniMax API key and sending your prompts and referenced image URLs to MiniMax. Set MINIMAX_REGION explicitly if data residency matters, and save downloads to a dedicated folder to avoid accidental overwrites or misplaced generated media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill requires environment access for an API key and performs network operations against an external video generation service, yet no permissions are explicitly declared. This creates a transparency and governance gap: users or hosting platforms may not realize the skill can exfiltrate prompts, image references, and metadata to a remote API, or that it depends on secret material from the environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The description says generated videos are automatically downloaded and saved locally, but it does not clearly warn users that the skill writes files to disk. Unexpected local writes can overwrite files, consume storage, or store sensitive/generated content on shared systems without informed consent.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill documentation explains use of the MiniMax API and accepts image URLs/prompts, but it does not warn that user prompts, image references, and task information are transmitted to an external third-party service. This is dangerous because users may inadvertently send confidential or regulated data off-platform without realizing it.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The API reference documents sending prompts and image URLs to external MiniMax endpoints but does not warn users that their content and generated media are transmitted to a third-party service. In a video-generation skill, prompts and images may contain sensitive data, so this omission can lead to unintentional disclosure and privacy/compliance issues.

Natural-Language Policy Violations

Medium

Confidence: 86% confidence
Finding: The code defaults to the China-region API when MINIMAX_REGION is unset, causing prompts, image URLs, task metadata, and possibly generated-content identifiers to be sent to a CN endpoint without explicit user choice. In a skill that processes user media and prompts, implicit cross-border routing can create compliance, privacy, and data-governance risk even if the transport is encrypted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.