ClawHub

video-generation-minimax

Security checks across malware telemetry and agentic risk

Overview

This MiniMax video-generation skill appears purpose-aligned, but it needs review because it sends prompts and face-image URLs to a third-party service and downloads provider-returned files with weak bounds.

Review before installing. Use it only with prompts and image URLs you are comfortable sending to MiniMax, avoid face photos or sensitive media unless you have consent and understand the provider’s handling, protect the MINIMAX_API_KEY, and clean up generated videos from the workspace when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tainted flow: 'download_url' from requests.get (line 120, network input) → requests.get (network output)

Medium
Category
Data Flow
Content
print(f"正在下载视频到 {output_path}...")
    with open(output_path, "wb") as f:
        video_response = requests.get(download_url)
        video_response.raise_for_status()
        f.write(video_response.content)
    print(f"视频已成功保存至 {output_path}")
Confidence
94% confidence
Finding
video_response = requests.get(download_url)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that generated videos are automatically downloaded into the workspace and then sent to the user, but it does not clearly disclose the file-write behavior or outbound data flow. This can lead to unexpected persistence of generated content in shared storage and unreviewed transmission of files, which is risky if the content is sensitive or the workspace is multi-tenant.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires a third-party API key and uses a remote video-generation service, but it does not warn that prompts, image URLs, and potentially user-supplied media references are sent to MiniMax. This is a material data-handling omission because users may provide confidential text or images without understanding that the data leaves the local environment and is processed by an external provider.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal