ClawHub

Meeting

Security checks across malware telemetry and agentic risk

Overview

This meeting assistant is instruction-only and purpose-aligned, but users should be careful about meeting data retained in agent memory or workspace tools.

Install only if you are comfortable with the host agent and approved workspace connectors handling meeting details. Grant narrow calendar/workspace permissions, review drafts before distribution or task sync, and avoid highly confidential meeting content unless you understand the host agent's memory retention and deletion controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase at line 29 ("generate minutes") is broad and maps closely to common, legitimate user requests that could occur outside the intended meeting skill context. In agent systems that auto-route by trigger text, this can cause unintended invocation of the skill, leading to inappropriate capture, synthesis, or persistence of meeting-related content and creating confusion or privacy exposure.

Vague Triggers

Low
Confidence
80% confidence
Finding
Several triggers are loosely scoped (for example, "prepare for meeting," "generate minutes," and "track commitments") and do not clearly limit activation to a specific workflow or context. This increases the chance of accidental skill selection or prompt collision with other general-purpose assistant tasks, which is especially relevant here because the skill handles structured notes, decisions, and commitment tracking across meetings.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly states that 'all meeting intelligence is stored within your private agent memory,' which creates a retention risk for potentially sensitive meeting content such as decisions, dissent, stakeholder context, and action items. Even if described as private and non-autonomous, persistent natural-language storage can expose confidential business information beyond the immediate task scope and may violate least-retention and data minimization expectations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal