Recipe Create Meet Space

Security checks across malware telemetry and agentic risk

Overview

This recipe does what it claims, but it would create an open Google Meet link and email it to a fixed address without asking the user first.

Review and edit this recipe before running it. Confirm the intended recipients, message content, and whether OPEN meeting access is acceptable for your organization; do not run the Gmail send step as written unless team@company.com is truly the intended recipient.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill instructs the agent to send an email to an external recipient without any explicit user confirmation or warning that external communication will occur. Even though the content is only a meeting link, this can still cause unintended disclosure of meeting access details or trigger outbound communication the user did not mean to send.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal