Material Generator

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Unreal Engine material generator, but it publicly includes what appears to be a reusable MiniMax API key.

Review before installing or using. The publisher should remove and rotate the exposed MiniMax key and replace it with instructions for users to provide their own secret through protected configuration. Avoid entering sensitive project details into the hosted tool unless you trust the publisher and the MiniMax data handling path.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The skill documentation exposes a hardcoded API key directly in SKILL.md, which is a real credential-handling vulnerability. Anyone who can read the file can reuse the key against the external MiniMax API, leading to unauthorized API usage, quota exhaustion, billing abuse, and possible access to data associated with that account.

Missing User Warnings

High

Confidence: 100% confidence
Finding: This finding is valid because the markdown publicly discloses what appears to be a live secret key without any masking, warning, or access restriction. The danger is heightened by the inclusion of the exact provider endpoint and model configuration, which makes credential abuse immediately actionable with little effort by an attacker.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal