ClawHub

Meeting Notes Generator

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only meeting-notes helper, with no executable code, though users should be careful before sending sensitive transcripts to the referenced DeepSeek API.

Install appears reasonable for non-sensitive or approved meeting-note workflows. Before using it with confidential, personnel, legal, financial, or regulated meetings, confirm that sending transcript contents to DeepSeek or any configured AI provider is allowed, and manually verify names, dates, decisions, action items, and numbers despite the skill's completeness claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common requests about meetings, which can cause the skill to activate unexpectedly on ordinary user input. In this skill, that increases the chance that sensitive meeting transcripts or uploaded documents are routed into an aggressive transformation workflow and potentially to external processing without clear, informed user intent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly states it uses the DeepSeek API to process document contents, but the user-facing description does not warn that uploaded meeting documents may be sent to an external service. Because meeting notes often contain confidential business discussions, personal data, and internal decisions, this omission can lead to unauthorized disclosure and privacy/compliance violations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal