Firefly AI

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Fireflies.ai meeting-data skill, but users should treat retrieved meeting transcripts and participant details as sensitive.

Install only if you want an agent to use a Fireflies.ai API key to read meeting records from that account. Prefer summaries or targeted searches, confirm before retrieving full transcripts for vague meeting requests, avoid unnecessary custom GraphQL queries, and save transcript files only when you are comfortable retaining that content in the workspace.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The skill activation text is broad enough to trigger on generic meeting-related requests, which can cause the agent to invoke this integration when the user did not specifically intend to access Fireflies data. In context, that can unnecessarily expose sensitive meeting metadata or transcripts from a connected third-party account and create privacy or authorization mismatches.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation instructs saving full transcripts to workspace files without warning that meeting transcripts may contain highly sensitive business, personal, or regulated information. Persisting that data to disk increases retention, secondary access, and accidental disclosure risk beyond the immediate user response.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal