MiniMax CLI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MiniMax CLI usage skill with normal cautions around installing an external CLI and protecting an API key.

Before installing, verify that `mmx-cli` is the MiniMax CLI package you intend to trust. Use a dedicated or revocable MiniMax API key, prefer environment-variable or interactive secret entry when available, avoid pasting real keys into shared terminals or scripts, and do not send sensitive prompts, images, audio, or video unless MiniMax processing is acceptable for that data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill instructs users to pass a live API key directly on the command line (`mmx auth login --api-key sk-xxxxx`) without any warning about shell history, process listing, or logging exposure. In an agent/CLI context this is risky because secrets provided as command arguments are commonly captured by terminal history, telemetry, CI logs, or visible to other local users via process inspection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal