ClawHub

Minimax Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real MiniMax usage monitor, but it needs review because its local dashboard can use stored API keys and make live MiniMax requests without strong access controls.

Install only if you are comfortable with a local dashboard reading or storing a MiniMax API key, making live quota and probe calls to MiniMax, and optionally posting quota details to Feishu. Run the server only when needed, keep port 9876 local, prefer a dedicated limited-use MiniMax key, and avoid saving keys in the browser when possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation indicates access to environment variables and outbound network interactions, but no permissions are declared. That creates a transparency and consent problem: a user may invoke the skill without understanding it can read secrets like API keys and communicate with external services. In this context, the risk is elevated because the skill also references MiniMax and Feishu credentials, which are sensitive and externally transmitted.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose is quota monitoring, but the described behavior extends into active API probing, reading local config-based API keys, accepting custom API keys from headers, and sending data to Feishu. This is a meaningful scope expansion beyond simple monitoring and can expose credentials, generate unintended billable traffic, and transmit operational data to third parties. The mismatch makes the skill more dangerous because users are less likely to anticipate these actions or evaluate their privacy and cost implications.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The server accepts an API key from the incoming request header and uses it to make outbound MiniMax requests and CLI calls. That makes this monitoring service behave like a credentialed proxy/test harness rather than a passive monitor, which can be abused by any party who can reach the service to spend quotas, test keys, or route requests through the host.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill performs real inference probes, including burst and streaming requests, instead of only checking quota metadata. In a quota monitor context, actively generating model traffic increases cost and creates an API-exercising surface that can be triggered remotely, making abuse and unintended billing more likely.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The server enables Access-Control-Allow-Origin: * for its monitoring and probing endpoints, allowing any web page to issue cross-origin requests to a locally running service. In combination with endpoints that use the local API key by default, this creates a browser-to-localhost attack surface where a malicious site can trigger outbound provider requests and consume quota without the user's awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that the backend will automatically read an API key from `~/.mmx/config.json` and also supports pushing queried quota information to Feishu, but it does not prominently warn users that local credentials will be accessed and that usage data may be transmitted to a third party. In an agent/skill context, silent credential access and optional external transmission increase the risk of users running the tool without understanding the trust boundary or data flow.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrase "查配额" is broad and likely to overlap with normal user requests, increasing the chance of accidental invocation. Because the skill can launch local programs, query remote APIs, and push data to Feishu, unintended activation could cause privacy leaks, unnecessary network activity, or unintended external notifications. The broad trigger is therefore not just a UX issue but a security-relevant invocation problem.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation guidance mixes multiple generic phrases without clear exclusions, which increases ambiguity about when the skill should activate. In a skill that performs automatic browser launching and external API communication, ambiguous triggering raises the likelihood of unintended execution and data handling outside user expectations. The surrounding context makes this more dangerous than a harmless documentation flaw.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states it will automatically execute the macOS `open` command to launch a local HTML page without a clear confirmation step. Automatic command execution is a meaningful side effect that can surprise users and normalize silent local actions, especially when coupled with a backend service and networked monitoring behavior. Even if the specific command is low-complexity, the lack of consent creates a security and trust issue.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes pushing quota information to Feishu but does not warn that usage data will be transmitted to an external messaging platform. Quota, model usage, and timing information may be operationally sensitive, and sending it to third-party infrastructure without clear disclosure can cause privacy or business-information leakage. The risk is amplified because the skill also uses Feishu application credentials from environment variables.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code silently reads the user's MiniMax API key from a local config file and uses it as the default credential. Even though it does not exfiltrate the key directly, this creates implicit credential use without informed consent and increases risk when combined with remotely triggerable endpoints.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
These probe functions send live outbound requests using the local or caller-supplied API key without any explicit warning at request time. In a monitoring skill, silent credential-backed external calls are risky because they can incur cost, disclose usage patterns, and be triggered unexpectedly by other local clients or browser-originated requests.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The page stores a sensitive API key in browser localStorage and automatically reuses it on load. localStorage is readable by any script running in the page origin, persists across sessions, and is exposed to theft if the page or its backend is ever compromised, which makes this a real secret-handling weakness.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal