ClawHub

Read AI

Security checks across malware telemetry and agentic risk

Overview

This skill handles useful meeting data, but it also reaches broad always-on conversation lifelogs and stores or forwards sensitive content with incomplete disclosure and controls.

Review before installing. Only use this if you are comfortable granting access to both Read AI meeting records and Limitless conversation lifelogs. Avoid the --ai option unless sending excerpts to Claude is acceptable, keep the webhook bound to localhost or otherwise protected, and regularly secure or delete ~/.readai and ~/.config/readai because they may contain transcripts, lifelogs, webhook logs, and API keys.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Keep it concise and actionable."""

    try:
        result = subprocess.run(
            ["claude", "-p", "--model", "sonnet"],
            input=prompt, capture_output=True, text=True, timeout=120,
        )
Confidence
89% confidence
Finding
result = subprocess.run( ["claude", "-p", "--model", "sonnet"], input=prompt, capture_output=True, text=True, timeout=120, )

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documentation expands a Read AI meeting integration into a Limitless pendant source, changing the data scope from meeting records to general conversation capture. This is dangerous because users invoking a meeting assistant may not realize the skill can reach unrelated recordings.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The phrase 'captures all conversations including meetings' indicates access to comprehensive lifelog data beyond the justified meeting-management use case. Over-collection of sensitive spoken content raises substantial privacy and confidentiality risks, especially for bystander conversations or non-meeting contexts.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The local storage layout includes Limitless lifelog datasets and indexing under the same skill, extending scope beyond Read AI meeting management. Persisting broader datasets locally increases exposure in the event of local compromise, accidental sharing, or misuse by other tools.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented 'Limitless Lifelog Pull' capability is broader than a meeting-oriented skill and enables collection of daily pendant recordings and AI summaries. Because lifelog data may include private, non-work, or third-party conversations, misuse or misunderstanding can lead to significant privacy harm.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a Read AI integration, but the code actually accesses Limitless AI pendant lifelog data and stores it locally. This scope mismatch is dangerous because it can cause users or operators to authorize or run the skill under false assumptions, leading to unauthorized access and handling of a different, potentially more sensitive data source.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code sends private conversation-derived content to an external Claude CLI for summarization, which is not justified by the declared Read AI data retrieval capability. In the context of a meeting-data skill, adding an undisclosed secondary AI-processing channel increases privacy and compliance risk because sensitive speech content may leave the expected boundary.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description focuses on fetching and managing meeting data, but the implementation silently persists full meeting content, including summaries and potentially transcripts and participant details, to local disk. Because meeting data often contains sensitive business discussions and personal information, undisclosed persistent storage materially increases confidentiality and retention risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation states that webhook meeting data and transcripts are stored locally, but does not prominently warn users about retention of sensitive content. Meeting summaries and transcripts often contain confidential business or personal information, so silent local persistence increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Meeting and conversation content is assembled into a prompt and passed to an external AI tool without any warning, confirmation, or consent flow. Because lifelog data can contain highly sensitive personal and business information, undisclosed transfer to a third-party model materially increases confidentiality and regulatory risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script persists raw lifelogs, extracted entries, and summaries to local disk under the user's home directory without disclosure or retention controls. Storing sensitive transcripts and metadata indefinitely expands the attack surface by exposing private data to local compromise, backups, or unintended sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The client writes meeting JSON and markdown exports containing potentially sensitive transcripts, participant emails, action items, and summaries to local files without explicit notice or consent. In shared workstations, synced home directories, backups, or multi-user systems, this can expose confidential meeting content well beyond the intended session.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When no local results are found, the script silently falls back to querying the Read AI API, which may access remote meeting metadata and content the user did not expect to search. In a meeting-search skill handling potentially sensitive summaries, transcripts, and participant data, this lack of explicit disclosure or consent can cause unintended data exposure across trust boundaries and undermine user privacy expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook receiver persists full meeting payloads, including summaries, participants, action items, and possible transcripts, directly to disk under the user's home directory. In this skill context, that data is likely sensitive business or personal meeting content, so storing it by default without explicit user notice, minimization, retention controls, or access protections increases the risk of privacy exposure if the host is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The application logs the incoming webhook payload snippet, which may contain meeting summaries, attendee names, transcript text, or other confidential content. Logs are often broadly accessible to operators, shipped to external logging systems, or retained longer than primary data, so this creates an additional unintended disclosure path for sensitive meeting information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal