minimax-multimodal-toolkit

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for their MiniMax API key and to produce/export commands like export MINIMAX_API_KEY="sk-..." which requires including the secret verbatim in its output, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly accepts and sends public/untrusted image URLs as reference content (e.g., --ref-image in scripts/image/generate_image.sh and --first-frame / --subject-image in scripts/video/generate_video.sh, documented in SKILL.md) which are ingested by the generation pipeline and directly influence subsequent model actions/outputs, creating a clear vector for indirect prompt injection from third-party content.