ClawHub

Minimax Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MiniMax integration for web search and image analysis, with normal privacy and installer cautions but no evidence of hidden or malicious behavior.

Before installing, prefer the Homebrew uv install path or verify the uv installer yourself. Use a dedicated MiniMax API key if possible, monitor API usage costs, and only submit searches, URLs, prompts, or images that you are comfortable sending to MiniMax.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases are very broad and overlap with common user intents like searching, describing images, and fetching webpages. In an agent environment, this can cause the skill to activate unexpectedly and route user data or URLs to an external service without sufficiently explicit user intent for MiniMax specifically.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises web search, image understanding, and URL content extraction but does not clearly warn that supplied image URLs, webpage URLs, and possibly related content will be transmitted to MiniMax's external API. This creates a privacy and data-handling risk because users may provide sensitive links or images without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The image analysis examples encourage sending image URLs or local image content to an external service without warning that sensitive images, embedded text, metadata, or internal file contents may be transmitted off-device. In documentation for an agent skill, this omission can lead users to unintentionally disclose private or regulated data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal