ClawHub

Minimax Music Gyh

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uses a MiniMax API key to generate music from user prompts and save the returned audio file locally.

Install only if you are comfortable sending your music prompt, optional lyrics, and request metadata to MiniMax. Use a dedicated MiniMax API key where possible, avoid sensitive or confidential text in prompts, install requests from a trusted Python environment, and choose an output path you are comfortable overwriting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Tainted flow: 'download_url' from requests.get (line 85, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"📥 正在下载音乐至 {output_path}...")
    with open(output_path, "wb") as f:
        vr = requests.get(download_url, timeout=120)
        vr.raise_for_status()
        f.write(vr.content)
    print(f"✅ 音乐已保存: {output_path}")
Confidence
90% confidence
Finding
vr = requests.get(download_url, timeout=120)

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal