Use mmx to generate text, images, video, speech, and music via the MiniMax AI platform. Use when the user wants to create media content, chat with MiniMax mo...
Security Analysis
medium confidenceThe skill's instructions match its stated purpose (a CLI for MiniMax), but the SKILL.md expects the user/agent to supply and persist an API key to ~/.mmx/credentials.json and to install a global npm package, while the registry metadata declares no required credentials or config paths — an incoherence worth caution.
The name/description (generate text/images/video/speech/music via MiniMax) aligns with the runtime instructions: commands, flags, and examples all describe a multipurpose MiniMax CLI. No unrelated service or capability is requested.
The SKILL.md instructs the agent/user to run 'npm install -g mmx-cli' and to authenticate with an API key (mmx auth login --api-key sk-xxxxx) which will be persisted to ~/.mmx/credentials.json. The registry metadata lists no required env vars or config paths, so the instructions require storing credentials and potentially reading/writing files that were not declared. The CLI also accepts file inputs (e.g., --messages-file, --text-file, --first-frame) and callback URLs for async video tasks; these allow reading local files or transmitting data to arbitrary endpoints, which is expected for a CLI but increases the attack/exfiltration surface if the skill is invoked with untrusted inputs.
There is no install spec in the registry (instruction-only), which is low risk from the skill bundle perspective. However, the guide tells the agent to perform a global npm install (npm install -g mmx-cli). Global npm installs modify the host and pull code from the npm registry (moderate risk); the skill metadata does not document or pin a package source. Users should verify the npm package's origin before running it.
Registry metadata declares no required env vars or primary credential, but the instructions clearly require an API key (sk-xxxxx) and describe persisting it to ~/.mmx/credentials.json. This is a mismatch: a secret is necessary for normal use but was not declared. The CLI also permits supplying callback URLs and reading file paths, increasing the potential for sensitive-data transmission if misused.
The skill itself is not 'always' present and is user-invocable (normal). However, the recommended 'mmx auth login' will persist credentials to the user's home (~/.mmx/credentials.json), creating durable secrets on disk that the agent (or other processes) could access. The registry metadata did not declare this config path or credential persistence, creating a transparency gap.
Guidance
This skill appears to be a CLI usage guide for the MiniMax 'mmx' tool and is plausibly what it claims, but it has an important mismatch: the SKILL.md expects an API key and persistence to ~/.mmx/credentials.json, while the registry metadata declares no required credentials or config paths. Before installing or using this skill: 1) Verify the skill's origin and the npm package 'mmx-cli' on the npm registry/GitHub — prefer official project pages and pinned releases. 2) Prefer per-call --api-key usage rather than running 'mmx auth login' if you don't want credentials persisted; inspect ~/.mmx/credentials.json and its file permissions if you do authenticate. 3) Avoid running 'npm install -g' on unverified packages; consider installing in an isolated container or virtual environment. 4) Be cautious with callback URLs and file arguments (they can exfiltrate content) and never supply sensitive local file paths unless you trust the target. 5) Ask the publisher to update registry metadata to declare the required API key/config path explicitly so the skill's requirements are transparent.
Latest Release
v1.0.2
**Switch to `mmx-cli`: major simplification and platform change** - Replaces all separate bash scripts and API reference docs with a unified command-line interface (`mmx`). - Removes 15 legacy shell script and markdown reference files. - Updates skill name and description to reflect the new `mmx-cli` interface. - New workflow: install `mmx-cli` via npm and use a single CLI for text, image, video, speech, and music generation. - All instructions, options, and usage details are consolidated into the new SKILL.md focused on `mmx` commands and agent-friendly flags.
Popular Skills
Published by @minimax-ai-dev on ClawHub
