minimax-web-search

This skill README/doc is functionally coherent with its purpose (install uvx, install a MiniMax MCP component, configure an API key, and call web_search). However, it contains multiple supply-chain and credential-handling risks: it recommends curl|bash installation from a third-party domain (astral.sh), directs installation of an unpinned MCP package via uvx, suggests aggregating and storing API keys in plaintext under the user's home directory, and forwards API keys/queries to a locally-installed MCP process (third-party code). These behaviors are proportionate to the stated goal (running a third-party MCP service) but raise notable security concerns — primarily supply-chain compromise and credential exposure/forwarding. I classify this as suspicious/vulnerable rather than confirmed malware: exercise caution, avoid pipe-to-shell installs without verification, prefer pinned packages or manual review of installers, store API keys with proper file permissions or a secrets manager, and vet the MCP server code before running it.