Nuwa Video Gen - MiniMax女娲视频

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MiniMax video-generation helper, but users should understand that prompts and image or face-reference URLs are sent to MiniMax.

Install only if you trust this MiniMax API workflow. Use a dedicated API key where possible, monitor billing or credits, avoid confidential prompts and private image URLs, and only use face-reference images with the subject's permission.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Tainted flow: 'download_url' from requests.get (line 124, network input) → requests.get (network output)

Medium

Category: Data Flow
Content: print(f"正在下载视频到 {output_path}...") with open(output_path, "wb") as f: video_response = requests.get(download_url) video_response.raise_for_status() f.write(video_response.content) print(f"视频已成功保存至 {output_path}")
Confidence: 92% confidence
Finding: video_response = requests.get(download_url)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill instructs users to send prompts, image URLs, and in one mode face images to a third-party API, but it does not clearly disclose that this data leaves the local environment and may be processed, stored, or logged by an external provider. This is more concerning here because the skill explicitly supports subject-reference generation using human face photos, which raises privacy and consent risks beyond ordinary prompt transmission.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal