ClawHub

小米 MiMo TTS

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward text-to-speech skill that uses a MiMo API key, sends the text you choose to Xiaomi MiMo's API, and can save the returned audio as a WAV file.

Install this only if you trust Xiaomi MiMo to process the text you ask it to speak. Avoid sending secrets or highly sensitive private content, use a MiMo API key you are comfortable configuring for this purpose, and choose output paths intentionally because the skill can write WAV files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation demonstrates access to environment variables via MIMO_API_KEY but does not declare any corresponding permission or capability. This creates a transparency and policy gap: users and the platform may not understand that the skill depends on secret material and external service access, which increases the risk of unauthorized credential use or unexpected outbound requests.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough to match normal conversation such as 'read to me' or generic TTS-related requests, which can cause unintended invocation. In context, accidental activation may send user text to an external TTS provider and create files without sufficiently explicit user intent, making this more than a usability issue.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description does not clearly warn users that their supplied text will be transmitted to Xiaomi's external API and that WAV files will be written locally. This omission undermines informed consent and can expose sensitive user content to third parties or local storage unexpectedly.

External Transmission

Medium
Category
Data Exfiltration
Content
client = OpenAI(
    api_key=os.environ.get("MIMO_API_KEY"),
    base_url="https://api.xiaomimimo.com/v1"
)

# Clip voice style
Confidence
93% confidence
Finding
https://api.xiaomimimo.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal