ClawHub

lark-meeting

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Lark meeting-room booking helper that uses local Lark credentials to find rooms, create calendar events, and store local room preferences.

Install only if you are comfortable letting this skill use your local lark-cli login to inspect meeting rooms, check availability, create calendar events, and add room resources. Confirm the exact time, timezone, title, and calendar before booking, and avoid the sudo ownership command unless you understand the path and need to repair local file permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to read and write local repository files and execute Python commands, yet no explicit permissions are declared. This creates a trust and containment gap: a caller may invoke the skill without realizing it can modify files and run shell commands on the host, increasing the risk of unintended local changes or command execution.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file exposes a general calendar event listing capability via get_calendar_events, which is broader than the stated purpose of booking meeting rooms. In a skill intended only for room booking, this creates unnecessary access to potentially sensitive calendar metadata and increases the blast radius if the skill is invoked with untrusted or overly broad inputs.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The attendee enumeration function allows retrieval of attendee lists for arbitrary calendar events, which exceeds the declared meeting-room booking scope. Attendee lists can reveal sensitive organizational relationships, meeting participation, and resource usage, making this a privacy and data-minimization issue even if the code is not overtly malicious.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The markdown tells the AI to directly edit conf/meeting_room_blacklist.json based on user instructions, but does not require an explicit warning that repository data will be modified. Silent file mutation is risky because users may think they are making a one-time booking preference while the agent is actually persisting changes that affect future behavior.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Defaulting all natural-language times to +08:00 without explicit user choice can cause bookings to be created at the wrong time, especially for distributed teams or travelers. Because this skill performs real calendar and room-booking actions, a timezone assumption can lead to unauthorized or disruptive reservations even without malicious intent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code can create calendar events and add room attendees without any visible confirmation, approval gate, or user-facing warning in this layer. In an agent setting, silent mutation of a user's calendar or meeting room reservations can lead to unauthorized bookings, spam invitations, or operational disruption if the skill is triggered accidentally or by prompt manipulation upstream.

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
- 改 **名称 / room_id** 规则后,**无需重跑初始化**即可影响下次预约(预约脚本会读黑名单)。  
- 改 **容量**规则或希望 **从飞书重新拉全量列表** 时,在用户确认后**再执行一次** `meeting_init_processor.py`(同城市/大厦/楼层),以刷新 `meeting.json` 中的 `rooms`。

**权限提示:**若无法写入 `conf/`,可提示用户在终端授权,例如:`sudo chown -R $(whoami):staff <技能仓库>/conf/`(路径按实际技能目录替换)。

## 入口命令(在仓库根目录执行)
Confidence
88% confidence
Finding
sudo

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal