Security audit

MiniMax文生图

Security checks across malware telemetry and agentic risk

Overview

This is a simple instruction-only image generation skill that uses a disclosed external MiniMax API, with minor clarity issues around routing and API-key naming.

Install if you want an agent to help generate images through MiniMax-style APIs. Use a dedicated API key when possible, confirm whether the expected key is DMXAPI_API_KEY or a MiniMax API key, and avoid sending private or sensitive prompts to the provider.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill description says it should be used whenever a user needs image generation or AI drawing, which is broad enough to trigger on many common requests without clarifying limits, consent, or when the external API should not be used. In an agent setting, over-broad routing can cause unintended activation and transmission of user content to a third-party service.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation explains how to call the external MiniMax API but does not clearly warn that user prompts and possibly image inputs will be sent to a third-party service. This creates a data-handling transparency issue and can expose sensitive user content without informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal