ClawHub

Meetings

Security checks across malware telemetry and agentic risk

Overview

This meeting helper is purpose-aligned and locally scoped, with privacy considerations around storing meeting notes but no evidence of hidden or harmful behavior.

Install this if you want a local meeting-notes and follow-up system. Before using it for confidential meetings, decide whether saving transcripts, attendee notes, communication preferences, and action items under ~/meetings/ is acceptable on your device, and ask the agent to confirm before writing or retaining sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill name and description are broad enough that the assistant could invoke it in contexts that only loosely relate to meetings. Unintended activation could cause the skill to process sensitive work notes, transcripts, or attendee context when the user did not explicitly intend to use this workflow, increasing privacy and data-handling risk.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to proactively alert about meetings and pending follow-ups is underspecified and lacks consent, scope, and timing constraints. In practice, this can lead to unrequested monitoring-like behavior, unexpected surfacing of sensitive meeting context, or actions based on stale or misinterpreted data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly creates a local workspace and stores structured meeting records, but it does not warn the user that potentially sensitive business and personal data will be written to disk. This is dangerous because users may unknowingly persist confidential agendas, attendee details, decisions, and follow-ups in an unprotected location on shared or unmanaged systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill processes transcripts, audio-derived content, attendee histories, communication styles, and follow-up promises without any privacy notice or data minimization guidance. Because meeting content often includes confidential business information and personal data, silent collection, summarization, and retention materially increase the risk of privacy violations, oversharing, and inappropriate long-term profiling.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal