ClawHub

会议智脑(MeetingOS)

Security checks across malware telemetry and agentic risk

Overview

This meeting automation skill is not clearly malicious, but it needs review because it can send meeting content to external workplace tools under broad triggers and has inconsistent packaging and disclosure.

Install only if you are comfortable with meeting transcripts, summaries, action items, and user identifiers being sent to configured services such as Feishu, WeCom, Notion, OpenAI, or SkillPay. Review and narrow the trigger wording, add confirmation before posting or creating tasks, validate webhook hosts, fix the missing requirements file and broken main_processor.py, and avoid running cleanup on original local recordings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tainted flow: 'save_path' from os.getenv (line 240, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 写入文件
    downloaded_bytes = 0
    with open(save_path, "wb") as f:
        for chunk in response.iter_content(chunk_size=8192):
            if chunk:
                f.write(chunk)
Confidence
92% confidence
Finding
with open(save_path, "wb") as f:

Tainted flow: 'WECOM_WEBHOOK_URL' from os.getenv (line 17, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
},
    }

    response = requests.post(WECOM_WEBHOOK_URL, json=payload, timeout=10)
    response.raise_for_status()
    result = response.json()
Confidence
88% confidence
Finding
response = requests.post(WECOM_WEBHOOK_URL, json=payload, timeout=10)

Tainted flow: 'WECOM_WEBHOOK_URL' from os.getenv (line 17, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
payload = {"msgtype": "markdown", "markdown": {"content": content}}

    response = requests.post(WECOM_WEBHOOK_URL, json=payload, timeout=10)
    response.raise_for_status()
    result = response.json()
Confidence
88% confidence
Finding
response = requests.post(WECOM_WEBHOOK_URL, json=payload, timeout=10)

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The comments minimize the security significance of loading configuration by repeatedly stating it 'will not' cause network activity, yet those same values are later used for authentication and outbound API calls. Misleading security-relevant comments can cause reviewers and operators to underestimate data transmission and credential use, increasing the chance of unsafe deployment or misuse.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger description is very broad and includes many common meeting-related phrases, which can cause the skill to activate for routine conversations where the user did not clearly intend to invoke it. Because this skill can process recordings and push action items to external services, unintended invocation increases the risk of unnecessary data handling or accidental downstream actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The 'When to Use' section contains broad natural-language examples that overlap with ordinary productivity requests, making over-triggering more likely. In the context of a skill that may transcribe recordings and send summaries to third-party integrations, accidental activation can expose sensitive meeting content or create unintended tasks/messages.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Webhook-based transmission to an externally configured endpoint without explicit disclosure is risky because users may assume internal-only processing while the function can send arbitrary content over the network. Combined with the unvalidated full webhook URL, this increases the chance of accidental or malicious data leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal