ClawHub

meeting record analysis

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it turns a user-provided meeting recording into minutes, but it sends meeting content to external AI services and saves the result locally.

Install only if you are comfortable sending meeting audio and transcript text to the configured ASR and LLM providers, and optional summary text to TTS when enabled. Use dedicated API keys, avoid highly confidential or regulated recordings unless those providers are approved, and delete saved JSON or MP3 outputs when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares operational capabilities such as environment-variable access, local file writing, and outbound network use, but does not declare corresponding permissions or constraints. This weakens user and platform visibility into what the skill can access and makes it easier for sensitive meeting data to be transmitted or stored without informed approval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly sends meeting audio/transcripts to external ASR, LLM, and TTS endpoints, but provides no privacy notice, consent flow, or data-handling disclosure. Because meeting recordings commonly contain confidential business, personal, or regulated information, undisclosed third-party transmission creates a meaningful risk of privacy breach and compliance violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that structured meeting results are also saved locally as a JSON file, but does not warn users that sensitive meeting content will persist on disk. Local persistence increases the attack surface by leaving potentially confidential summaries, decisions, names, and action items available to other users, processes, backups, or forensic recovery.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends raw meeting audio to ASR, transcript text to an LLM, and optional summary text to TTS providers, but the code contains no consent, warning, or user-facing disclosure mechanism. In a meeting-minutes skill, this is meaningful because recordings and transcripts commonly contain sensitive business, legal, or personal information.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal