Back to skill
Skillv1.0.0
VirusTotal security
MiniMax Speech 2.8 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:56 AM
- Hash
- 38088964efb6ddc4cdc4d073026de76f28ca60161cd771464fd3ac9dcd8e6e5a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: minimax-speech Version: 1.0.0 The `scripts/minimax_tts.py` skill, while intended for legitimate MiniMax API interaction, contains several vulnerabilities. The `--endpoint` argument allows the `MINIMAX_API_KEY` to be sent to an arbitrary URL, posing a risk of credential exfiltration if the AI agent is prompted to use a malicious endpoint. Additionally, the `--output` argument in both `tts` and `voices` subcommands is vulnerable to path traversal, potentially allowing arbitrary file writes outside the intended directory. The `decode_audio` function also allows downloading content from arbitrary URLs if the `output_format` is set to `url` and the API response contains a malicious URL. These are significant vulnerabilities that could be exploited via prompt injection or malicious input, but there is no clear evidence of intentional malicious design within the code or `SKILL.md`.
- External report
- View on VirusTotal