Security audit

会议记录助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple meeting-notes skill that discloses local note and action-item storage and contains no executable code or hidden privileged behavior.

Install only if you are comfortable with meeting notes and action items being kept in local JSON files. Avoid storing secrets, credentials, or highly confidential meeting details, and periodically review or delete saved notes when they are no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are generic meeting-related terms that are likely to appear in normal conversation, which increases the chance of accidental or overly broad invocation. In a skill that stores notes and action items persistently, unintended activation could capture or process sensitive meeting content without clear user intent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly stores meeting records and action items in persistent files but provides no notice about retention, access, deletion, or privacy implications. Because meeting notes often contain sensitive business or personal information, lack of transparency can lead to unintentional collection and long-term storage of confidential data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.