registry  /  my-minimax-mcp  /  1.8.1

my-minimax-mcp@1.8.1

MCP server wrapping MiniMax AI as autonomous code executor with agent loop for Claude Code

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
No blocking static signals were detected.
Trigger
User starts the MCP server or invokes CLI agent mode and submits an agent task.
Impact
A prompt-influenced remote agent can alter the selected project or execute whitelisted development commands; this is a dangerous dual-use capability, not a confirmed malicious chain.
Mechanism
User-invoked remote AI coding agent with constrained filesystem and shell tools.
Rationale
No source evidence supports a malware or install-time hijack verdict. The package nevertheless provides consequential remote-agent execution over a user-selected project, so it should be warned as dangerous dual-use capability.
Evidence
package.jsondist/mcp-server.jsdist/cli.jsdist/agent/safety.jsdist/agent/executor.jsdist/utils/path-safety.jsdist/client/minimax-client.jsdist/client/coding-plan-client.js~/.claude/minimax-usage.jsonl
Network endpoints2
api.minimax.io/v1api.minimax.io

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/agent/executor.js` exposes agent-directed project reads, writes, edits, and shell execution.
  • `dist/agent/executor.js` runs approved commands through `sh -c`; model tool calls can trigger it.
  • `dist/client/minimax-client.js` and `dist/client/coding-plan-client.js` send requested AI work to `https://api.minimax.io`.
  • `dist/cli.js` `--init` explicitly creates `~/.claude/minimax-usage.jsonl`; it does not copy or overwrite `CLAUDE.md`.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` hook.
  • `dist/mcp-server.js` starts MCP only when invoked; CLI is selected only with arguments.
  • `dist/agent/safety.js` rejects chaining, privileged commands, inline Node evaluation, download-to-shell patterns, and destructive shell patterns.
  • `dist/utils/path-safety.js` confines agent file operations to the supplied working directory.
  • No hidden endpoint, credential harvesting, remote payload loading, or stealth persistence was found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 32 file(s), 147 KB of source, external domains: api.minimax.io

Source & flagged code

4 flagged · loading source
dist/agent/executor.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/agent/executor.js` exposes agent-directed project reads, writes, edits, and shell execution.

dist/agent/executor.jsView on unpkg
Published source reference
Medium
Ai Review Evidence

`dist/agent/executor.js` runs approved commands through `sh -c`; model tool calls can trigger it.

dist/agent/executor.jsView on unpkg
dist/client/minimax-client.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/client/minimax-client.js` and `dist/client/coding-plan-client.js` send requested AI work to `https://api.minimax.io`.

dist/client/minimax-client.jsView on unpkg
dist/cli.jsView file
Published source reference
Medium
Ai Review Evidence

`dist/cli.js` `--init` explicitly creates `~/.claude/minimax-usage.jsonl`; it does not copy or overwrite `CLAUDE.md`.

dist/cli.jsView on unpkg

Findings

6 Medium5 Low
MediumNetwork
MediumEnvironment Vars
MediumAi Review Evidencedist/agent/executor.js
MediumAi Review Evidencedist/agent/executor.js
MediumAi Review Evidencedist/client/minimax-client.js
MediumAi Review Evidencedist/cli.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings