voice-minimax

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it sends text to MiniMax to make speech audio, converts it, and sends the result to a Feishu/Lark user.

Install only if you are comfortable sending the text you provide to MiniMax and delivering generated audio to the configured Feishu/Lark recipient. Verify the API key and recipient ID before use, avoid sensitive content unless those services and recipients are appropriate, and delete generated local audio files when needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrase "生成语音" is very generic and likely to collide with ordinary conversational requests, causing the skill to activate when a user merely asks for help generating audio. Because the skill sends content to an external TTS provider and then delivers the result to a fixed Feishu recipient, accidental activation can lead to unintended disclosure and message sending.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill transmits user-provided text to MiniMax and sends generated audio/files to Feishu, but the documentation does not clearly warn users that their content leaves the local environment and is forwarded to third parties. This creates a real privacy and data-handling risk, especially if users assume the request is processed locally or are unaware of the recipient configured in the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal