MiniMax CLI (mmx)

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent MiniMax CLI helper, but it tells users to give an API key to an AI agent without adequate privacy or secret-handling warnings.

Install only if you trust the MiniMax CLI package and service. Do not paste your API key into an AI chat or agent prompt; configure it directly through a local terminal or secure credential flow. Avoid submitting sensitive screenshots, documents, personal media, confidential URLs, or private text unless you intend MiniMax to process them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs users to provide an API key and describes use of a remote service, but it does not explicitly warn that secrets and supplied content may be transmitted off-box. In an agent setting, this can lead users to paste credentials into prompts or authorize actions that expose API keys and local data to third-party infrastructure without informed consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation states that local image paths are automatically base64-encoded, but does not clearly warn that the image contents are then transmitted to a remote API. In this skill context, users may provide sensitive screenshots, documents, or personal photos, creating a realistic risk of unintentional exfiltration of local content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal