ClawHub

Fireflies

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Fireflies.ai meeting-data helper, but it also tells agents how to create permanent no-login sharing links for sensitive meeting content without strong safeguards.

Install only if you are comfortable giving the agent access to Fireflies meeting data and you will control its use carefully. Treat transcript, audio, video, attendee, and contact data as confidential; use narrow transcript IDs or date ranges, and do not ask the agent to create or share embed links unless the meeting is approved for external disclosure and all consent and company policy requirements are satisfied.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documentation expands a read/query skill into guidance for constructing permanent, no-login sharing links for meeting recordings/transcripts. That materially changes the capability from internal data access to external disclosure of sensitive meeting content, increasing the risk of unauthorized distribution of confidential business discussions and personal data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill's stated purpose is accessing transcripts and analytics, but this section facilitates external distribution to prospects or clients using unauthenticated links. That unjustified expansion increases the blast radius from internal retrieval to broad sharing of potentially confidential recordings and transcripts.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The skill immediately presents broad access to meeting transcripts, summaries, participant emails, and analytics without any privacy, consent, or data-handling warning. For a system centered on meeting content, omission of such safeguards can normalize unsafe access to sensitive personal and business information.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation explicitly encourages sharing permanent no-login meeting links with external parties and highlights that no account is required. This promotes disclosure of meeting artifacts without emphasizing consent, confidentiality, retention, or access-control risks, making accidental data leakage more likely.

Ssd 3

High
Confidence
98% confidence
Finding
These instructions operationalize creation of unauthenticated external links for recordings/transcripts, enabling anyone with the URL to access potentially sensitive meeting content. Because meetings often contain confidential strategy, customer data, or employee information, public sharing links create a significant confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal