Back to skill

Security audit

Mimimax Voice Clone +TTS

Security checks across malware telemetry and agentic risk

Overview

This voice-cloning skill appears purpose-aligned, but it handles sensitive voice data and persists voice mappings without enough clear consent and disclosure.

Install only if you are comfortable uploading voice samples to MiniMax for cloning. Use voice data you have rights and consent to clone, keep API keys in environment variables, and check whether the skill lets you view, delete, or reset saved voice mappings before relying on it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares environment-variable use, file read/write, and networked API access, but does not expose a formal permissions declaration despite performing sensitive operations. This can mislead users and host platforms about the skill's actual capabilities, reducing informed consent and making risky behaviors like external data transmission and document mutation less visible.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This skill sends user-provided voice audio to an external voice-cloning provider, which is highly sensitive biometric data, yet the description and usage guidance do not prominently warn about that transmission or the privacy implications. In this context, the omission is more dangerous because voice cloning involves irreversible privacy and impersonation risks beyond ordinary cloud processing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# MiniMax voice clone + TTS script
requests>=2.28.0
Confidence
97% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.