Back to skill

Security audit

Fireflies

Security checks across malware telemetry and agentic risk

Overview

This Fireflies skill is mostly a legitimate meeting-data helper, but it also promotes permanent no-login sharing links for sensitive meeting content without adequate safeguards.

Install only if you are comfortable giving the agent access to Fireflies meeting data. Treat transcripts, recordings, participant emails, contacts, and analytics as confidential; use narrow queries and do not generate or share embed links unless the meeting is explicitly approved for external disclosure under your organization’s consent and data-handling policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly documents how to construct permanent, unauthenticated share links for meeting recordings/transcripts and even recommends them for sharing with external parties. Because the skill’s core purpose is accessing Fireflies data via API, adding guidance to bypass login-based access controls materially increases the chance of unauthorized disclosure of sensitive meeting content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation immediately encourages querying transcripts, participant emails, action items, and analytics without any privacy, consent, or data-handling warning. Since meeting transcripts often contain confidential business and personal data, omission of such guidance makes accidental over-collection and over-sharing substantially more likely.

Missing User Warnings

High
Confidence
97% confidence
Finding
The embed-URL instructions state that no Fireflies account is required and present this as a benefit, but omit any warning that anyone with the link may access meeting content. In context, this normalizes external exposure of sensitive recordings and transcripts and could lead users to leak confidential information to unintended recipients.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.