ClawHub

Meeting Mastery

Security checks across malware telemetry and agentic risk

Overview

This meeting assistant is useful and purpose-aligned, but it stores and reuses detailed personal contact profiles without clear consent, retention, or deletion controls.

Install only if you are comfortable with an agent keeping meeting notes, action logs, audits, and contact history across sessions. Before use, set clear rules: limit attendee research to business-relevant facts, do not store personal-life details without permission, exclude confidential or regulated meetings from memory and audits, review all drafts before sending, and periodically delete or edit stored contact cards and meeting files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs persistent storage of personal profile details such as family information, diet, hobbies, and sentiment history that exceed what is necessary for ordinary meeting preparation. This creates unnecessary privacy risk, expands the consequences of data leakage or misuse, and may violate data-minimization expectations or policy requirements.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs broad profiling of attendees using web search, company news, LinkedIn-style summaries, and mutual connections for every external attendee. Even if framed as meeting prep, this goes beyond minimal context gathering and can lead to collection of unnecessary personal data, inaccurate profiling, or policy-noncompliant enrichment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes attendee research, persistent relationship memory, note capture, and automated follow-up on meeting data without any disclosure of privacy boundaries, consent expectations, retention limits, or handling of sensitive business/personal information. In a meeting-assistant context, this increases the risk of collecting, storing, and reusing personal or confidential data in ways users may not anticipate, which can lead to privacy violations, policy noncompliance, or accidental exposure.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The example invocations are very broad (for example, 'Take notes for standup' and 'Meeting audit') and do not clearly constrain which meetings, calendars, date ranges, or data sources the agent may access. In a skill that can research attendees, persist relationship context, and automate follow-ups, underspecified triggers can cause unintended activation against the wrong meeting or over-broad access to organizational data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill defines persistent storage of contact cards and meeting histories, including personal notes and sentiment trends, without any user-facing warning, consent flow, or handling guidance. Lack of transparency around retention and privacy controls increases the chance of inappropriate collection, long-term accumulation, and downstream disclosure of personal data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill tells the agent to research external attendees through web and LinkedIn-like sources and combine that with relationship tracking, but gives no warning to the user about privacy implications or data provenance. This lack of notice makes covert profiling more likely and may cause users to unknowingly collect or rely on personal data beyond the original purpose.

Ssd 3

Medium
Confidence
96% confidence
Finding
The relationship-memory design encourages retaining detailed attendee information across meetings, including personal notes, sentiment trends, and open threads, for reuse in future interactions. Persistent reuse of broad personal context increases privacy exposure, can enable profiling beyond immediate meeting needs, and magnifies harm if the stored data is leaked, repurposed, or becomes inaccurate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal