ClawHub

Meeting Assistant

Security checks across malware telemetry and agentic risk

Overview

This meeting-notes skill is purpose-aligned and stores data locally, but users should know meeting details can be saved on disk.

Install only if you are comfortable with meeting titles, attendees, notes, and action items being stored in local JSON files. Avoid using it for highly confidential meetings unless you have a clear retention/deletion practice, and do not rely on reminders or calendar integration until you verify those features are actually implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are very broad and match common meeting-related language without clear boundaries, which can cause the skill to activate unexpectedly for ordinary user requests. In a skill that can read/write files and schedule reminders, overbroad activation increases the chance of unintended data handling or actions being taken in the wrong context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that it stores meeting records locally, including attendees, notes, and action items, but does not clearly notify the user or obtain consent for local persistence. Because meeting notes often contain sensitive business or personal information, silent storage creates privacy and data exposure risk, especially on shared or inadequately secured systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill stores meeting records and minutes to local JSON files without notifying users that potentially sensitive business discussions, attendees, and action items will be retained on disk. In a multi-user host, shared workspace, or endpoint compromise scenario, this can expose confidential operational or personal information beyond the user's expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User-supplied meeting content is transformed into minutes and then written to disk automatically, again without explicit notice or consent. Because meeting text may include sensitive internal decisions, names, schedules, or action items, silent persistence increases the risk of unintended disclosure and privacy violations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal