mmx-cli

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows and encourages embedding API keys (e.g., --api-key sk-xxxxx and export MINIMAX_API_KEY=sk-xxxxx) and per-call flags, which instructs an agent to include secrets verbatim in commands/outputs, creating exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill clearly ingests untrusted third‑party content — e.g., "mmx search query" performs web search, "mmx vision describe" accepts --image , and "mmx music cover" accepts --audio (and can extract lyrics from it) — which the agent is expected to read/interpret as part of its workflow and can materially influence subsequent outputs/actions.