MiniMax Speech 2.8

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward MiniMax text-to-speech helper with expected API-key, network, and file-output behavior, but users should avoid untrusted endpoints and choose output paths carefully.

Install only if you are comfortable using a MiniMax API key and sending TTS text to MiniMax. Use the default or verified MiniMax regional endpoints only, avoid confidential text unless MiniMax's terms are acceptable, install `requests` from a trusted source, and choose output paths deliberately because the script can write or overwrite the path you provide.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documentation describes capabilities to read an API key from the environment, write output files, and send network requests, but the skill declares no permissions. This mismatch can bypass user/operator expectations and reduce security review visibility, especially because the skill transmits data to a third-party API and saves returned content locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal