ClawHub
Back to skill

Security audit

MiniMax Video Generation

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward MiniMax video-generation helper that sends chosen prompts or images to MiniMax and saves the generated video locally.

Install this only if you intend to use MiniMax cloud video generation. Do not submit confidential, regulated, or private images or prompts unless MiniMax processing is acceptable for your use case; keep the API key scoped and protected; and review the local output directory because generated videos remain on disk until removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Tainted flow: 'download_url' from requests.get (line 114, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
download_url = result["file"]["download_url"]

    print(f"正在下载视频 (约 3-5MB)...\n")
    video_resp = requests.get(download_url, timeout=180)
    with open(save_path, 'wb') as f:
        f.write(video_resp.content)
Confidence
89% confidence
Finding
video_resp = requests.get(download_url, timeout=180)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documents use of environment variables and outbound network access to a third-party API, but no corresponding permissions are declared. This creates a transparency and governance gap: users and hosting platforms may not realize the skill can read secrets and transmit prompts or images externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow states that videos are automatically downloaded and saved locally, and examples upload prompts/images to an external service, but the documentation does not warn about third-party data transmission or privacy implications. Users may unknowingly send sensitive images or text to an external vendor and persist generated media on disk without informed consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends user prompts and, when provided, raw local image contents to a third-party API without any explicit consent prompt, privacy notice, or data minimization controls. In an agent-skill context, users may assume local files stay local, so the lack of disclosure increases the risk of unintended sensitive-data transmission.

External Transmission

Medium
Category
Data Exfiltration
Content
API_KEY = os.getenv("MINIMAX_API_KEY")

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={
        "Authorization": f"Bearer {API_KEY}",
Confidence
92% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
with open("start_image.jpg", "rb") as f:
    img_base64 = base64.b64encode(f.read()).decode()

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
96% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
### 首尾帧生成视频

```python
response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
88% confidence
Finding
requests.post( "https://

External Transmission

Medium
Category
Data Exfiltration
Content
API_KEY = os.getenv("MINIMAX_API_KEY")

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={
        "Authorization": f"Bearer {API_KEY}",
Confidence
92% confidence
Finding
requests.post( "https://api.minimaxi.com/v1/video_generation", headers={ "Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json" }, json=

External Transmission

Medium
Category
Data Exfiltration
Content
with open("start_image.jpg", "rb") as f:
    img_base64 = base64.b64encode(f.read()).decode()

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
96% confidence
Finding
requests.post( "https://api.minimaxi.com/v1/video_generation", headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
### 首尾帧生成视频

```python
response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
Confidence
88% confidence
Finding
requests.post( "https://api.minimaxi.com/v1/video_generation", headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"}, json=

External Transmission

Medium
Category
Data Exfiltration
Content
API_KEY = os.getenv("MINIMAX_API_KEY")

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={
        "Authorization": f"Bearer {API_KEY}",
        "Content-Type": "application/json"
Confidence
90% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# 查询状态
status_resp = requests.get(
    f"https://api.minimaxi.com/v1/query/video_generation?task_id={task_id}",
    headers={"Authorization": f"Bearer {API_KEY}"}
)
status = status_resp.json()["status"]
Confidence
86% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
# 获取下载链接(有效期1小时,需立即下载)
    file_resp = requests.get(
        f"https://api.minimaxi.com/v1/files/retrieve?file_id={file_id}",
        headers={"Authorization": f"Bearer {API_KEY}"}
    )
    download_url = file_resp.json()["file"]["download_url"]
Confidence
91% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
img_base64 = base64.b64encode(f.read()).decode()

response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
        "model": "MiniMax-Hailuo-2.3",
Confidence
96% confidence
Finding
https://api.minimaxi.com/

External Transmission

Medium
Category
Data Exfiltration
Content
```python
response = requests.post(
    "https://api.minimaxi.com/v1/video_generation",
    headers={"Authorization": f"Bearer {API_KEY}", "Content-Type": "application/json"},
    json={
        "model": "MiniMax-Hailuo-02",
Confidence
88% confidence
Finding
https://api.minimaxi.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.