minimax-music-gen

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly accepts arbitrary public URLs as input (e.g., SKILL.md Cover Mode: "mmx music cover ... --audio <source_url>") and the playback/script tools (play_music.py --url, vinyl_player/mpv_player.sh) fetch and stream/save those URLs, and the workflow states that if no lyrics are provided "the original lyrics are extracted via ASR automatically" — meaning untrusted, user-supplied third‑party audio/text is ingested and can directly influence generation and subsequent agent actions.