Security audit

会议纪要助手

Security checks across malware telemetry and agentic risk

Overview

The skill is a real meeting-notes tool, but it can auto-install dependencies and send meeting audio or text to cloud services without a clear consent step.

Install only if you are comfortable with the skill creating persistent meeting files, installing local dependencies, and potentially sending meeting text or raw audio to external speech services. For confidential meetings, disable cloud providers or require local-only ASR/TTS, avoid --auto-install unless you approve the package changes, and review output paths before use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: pass print("[mindmap] Pillow not found, installing automatically …", file=sys.stderr) try: subprocess.check_call( [sys.executable, "-m", "pip", "install", "pillow", "--quiet", "--disable-pip-version-check", "--break-system-packages"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 96% confidence
Finding: subprocess.check_call( [sys.executable, "-m", "pip", "install", "pillow", "--quiet", "--disable-pip-version-check", "--break-system-packages"], stdout=subp

subprocess module call

Medium

Category: Dangerous Code Execution
Content: except (subprocess.CalledProcessError, FileNotFoundError): # Retry without --break-system-packages (older pip) try: subprocess.check_call( [sys.executable, "-m", "pip", "install", "pillow", "--quiet", "--disable-pip-version-check"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
Confidence: 95% confidence
Finding: subprocess.check_call( [sys.executable, "-m", "pip", "install", "pillow", "--quiet", "--disable-pip-version-check"], stdout=subprocess.DEVN

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill directs the agent to use shell commands, read/write files, access environment variables, and potentially use networked dependencies, yet it declares no permissions. This creates a hidden capability surface where users or platform controls may not realize the skill can modify the system, install packages, or access sensitive local data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose is meeting-note generation, but the instructions also include dependency diagnosis, automatic installation/bootstrap, cleanup, and validation tooling that changes the host environment. This mismatch can mislead users into invoking a skill that performs broader system actions than expected, increasing the chance of unintended command execution or system modification.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill can optionally execute a local bootstrap shell script that installs packages and modifies the host environment, which exceeds the minimal expectations of an audio processing bridge. Even though gated behind a flag and limited to macOS, this materially increases attack surface because a compromised or tampered bootstrap script would run arbitrary commands on the user's machine.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code explicitly avoids forcing on-device recognition and uses the system-selected path, which can route meeting audio to Apple-managed cloud speech services depending on platform state and language support. In a meeting-notes skill, the input is likely sensitive business or personal conversation data, so undisclosed off-device processing creates a real privacy and data-handling risk.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The comment says to let the system choose the 'best available path,' but that choice may include remote processing of the audio. Without a corresponding privacy warning or consent flow, the implementation can mislead maintainers or users into assuming neutral/local handling when sensitive meeting recordings may leave the device.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The script advertises that output is fixed to skill-controlled locations, but actually accepts arbitrary user-supplied output directories and also honors an environment variable. In an agent setting, this can be abused to write generated files outside the intended workspace into other writable locations, potentially overwriting user files, planting content in shared/public directories, or causing unintended data exposure.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The `_ensure_pillow()` routine is a true vulnerability because it changes the runtime environment by downloading and installing packages on demand. That creates a supply-chain execution path and can break system package boundaries, especially with `--break-system-packages`, which is explicitly risky on managed hosts. In a meeting processing skill, users would not reasonably expect dependency installation side effects during content export.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to match ordinary requests about meeting summaries, audio transcription, text-to-speech, or mind maps, which can cause the skill to auto-activate unexpectedly. In this skill's context, unexpected activation is more dangerous because activation can lead to shell execution, file writes, dependency checks, and possible installation steps.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill automatically converts text meeting notes into audio output without explicit user opt-in or a warning that additional artifacts will be generated and stored. For meeting content, this may create unnecessary copies of sensitive discussions in audio form, increasing privacy and data-retention risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill mandates automatic installation and execution of dependencies such as ffmpeg, edge-tts, and whisper-related tooling, including bootstrap scripts, without a clear safety boundary or explicit user consent. This is dangerous because it authorizes system changes and shell execution on the host, potentially introducing supply-chain risk or altering the environment unexpectedly.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The manifest sets allow_implicit_invocation: true without any visible narrowing conditions, which can cause the skill to be triggered from broad user phrasing or indirect contexts. Because this skill can initiate ASR/TTS workflows, install dependencies, and generate files, unintended activation increases the chance of surprising execution, unnecessary package installation guidance, or processing sensitive meeting audio/text without clear user intent.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The default prompt hard-codes the first user-facing message in Chinese, with no user choice or locale detection. While not a classic code-execution issue, this can mislead users, reduce comprehension of consent or processing steps, and increase the risk of users approving ASR/TTS or dependency-install actions they do not fully understand.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The --clean-temp path deletes files and directories from /tmp based on broad glob patterns without confirmation or strong ownership validation. If those patterns match unrelated files created by other local processes, the script can remove data unexpectedly, creating integrity and availability risks on the host.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The OpenAI TTS path sends meeting text to an external service without a prominent runtime disclosure or consent checkpoint at the call site. Because meeting notes can contain sensitive business or personal information, silent transmission to a third party creates a real confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The OpenAI ASR path uploads raw meeting audio to a remote transcription endpoint without clear runtime disclosure or affirmative consent. Raw recordings are often more sensitive than text summaries because they may include identities, tone, side conversations, and regulated content, making undisclosed external transmission a significant privacy issue.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When --quick-copy is enabled, the script copies generated meeting artifacts into a shared private root under the user's home directory without any confirmation, warning, or sensitivity check. Meeting notes, summaries, audio briefings, and mind maps often contain confidential business information, so this behavior can unintentionally broaden data exposure and leave duplicate sensitive files in a more discoverable location.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal