Trust Assessment
minimax-usage received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Arbitrary command execution via untrusted .env file sourcing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary command execution via untrusted .env file sourcing The script uses `source "$(dirname "$0")/../../.env"` to load environment variables. If an attacker can manipulate the content of this `.env` file, they can inject arbitrary shell commands. These commands will be executed with the same privileges as the script, leading to a critical command injection vulnerability. This also makes variables like `MINIMAX_GROUP_ID` and `MINIMAX_CODING_API_KEY` susceptible to containing malicious shell metacharacters, which could then be further exploited in subsequent commands (e.g., in the `curl` call). Avoid sourcing `.env` files directly, especially if their content might be influenced by untrusted input. Instead, parse the `.env` file line by line to extract key-value pairs, ensuring that no shell commands are executed. Alternatively, enforce strict validation on the `.env` file content or ensure it is stored in a secure, immutable location. For environment variables, prefer setting them directly in the execution environment rather than relying on file sourcing. | LLM | minimax-usage.sh:5 |
Scan History
Embed Code
[](https://skillshield.io/report/e66150595b38f43e)
Powered by SkillShield