Meet

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Meet CLI guide for managing outsourced tasks, with real workflow risks that users should confirm before acting.

Install only if you trust the Meet service and the meet-cli package. Before using it, confirm every publish, claim, deliver, complete, abandon, and download action with the task ID; review folders before upload; avoid secrets or proprietary data unless authorized; and inspect or isolate downloaded deliverables before opening them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The decision tree maps broad natural-language phrases like '看看有什么任务可以做' or '通过了' directly to state-changing CLI actions. In an agent setting, these overlapping everyday phrases can cause unintended task claiming, downloading, abandoning, or completion when the user did not explicitly authorize the operation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill exposes commands that upload local directories, download remote artifacts, and permanently change task state, but it does not warn about data disclosure, untrusted file retrieval, or irreversible workflow actions. In an agent workflow, this increases the chance that sensitive local files are uploaded or that untrusted downloads are handled without review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal