ClawHub

Meeting Efficiency Pro

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a meeting-analysis tool, but it stores and prints secrets in plaintext and presents mock calendar/reporting results as real integrations.

Install only after reviewing the code and treating it as a demo-quality tool, not a production calendar integration. Do not enter real AI, task-manager, calendar, or email credentials unless secrets are moved out of plaintext config and config output is redacted. Avoid processing confidential meeting notes until privacy, export storage, and mock-data behavior are clearly documented and fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The setup flow performs actions beyond passive meeting analysis: it invokes package installation and writes a local configuration file. While these behaviors may be common for CLI setup, they expand the skill's capability beyond the advertised scope and can modify the host environment without strong user consent or clear warnings.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill executes shell commands, including `npm install`, through a subprocess. Spawning shell commands increases attack surface and can lead to arbitrary code execution via package lifecycle scripts, PATH manipulation, or compromised dependencies, which is not necessary for core meeting-analysis functionality.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The `process` command accepts a user-supplied path and reads that file directly, allowing the skill to access arbitrary local files rather than only meeting notes in a constrained location. In an agent context, this can expose sensitive host data if a user or another component passes secrets, SSH keys, or unrelated system files as the notes input.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The module includes add, update, and delete calendar operations even though the skill is described as an analysis and optimization tool. This expands capability from read-only analysis into state-changing behavior, increasing the risk of unauthorized or unexpected modification of users' calendar data if these methods are exposed through the agent.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The initialization and connection flow present mock placeholder integrations as if a real calendar connection succeeded, and testConnection reports successful connectivity based on sample meetings. This can mislead users or higher-level agent logic into believing real calendar access exists, causing unsafe automation decisions, false assurance, and improper trust in actions taken on fabricated data.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code presents trend metrics as if they were week-over-week comparisons, but it fabricates baseline values using fixed multipliers instead of retrieving real historical data. In a meeting analytics tool, this can mislead users into making operational or managerial decisions based on false performance improvements or regressions, undermining trust and potentially driving harmful automation or reporting outcomes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly processes calendar data, meeting notes, AI-provider content, and optional email/task-manager integrations, all of which can contain sensitive business or personal information. Failing to warn users about third-party processing, storage of tokens, and the privacy implications increases the risk of unintentional data exposure or noncompliant use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The config command prints the full configuration object, which may include secrets such as `ai_api_key`, directly to stdout. This can leak credentials into terminal history, logs, screenshots, or agent transcripts, especially in hosted or shared environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API docs explicitly support external AI providers and processing meeting notes, descriptions, and summaries, but they do not warn that sensitive meeting content may be sent to third-party services. In a meeting-analysis skill, this omission can lead developers to unknowingly transmit confidential business information, attendee data, decisions, or action items outside their trust boundary.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The export and file-write examples encourage saving reports and summaries derived from meetings and notes without warning that these artifacts may contain sensitive operational or personal information. This can result in insecure local storage, accidental commits, broad file permissions, or exposure on shared systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script prompts for an AI API key and later writes the collected configuration to config/default.json without clearly warning the user that the secret will be stored on disk in plaintext. Local plaintext credential storage increases the risk of accidental exposure through weak file permissions, backups, screenshots, or committing the config file to source control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The task-manager API token is requested interactively and then saved with the rest of the configuration, again without explicit disclosure that it will be written locally in plaintext. Because these tokens may grant access to external task systems and business data, silent persistence materially raises credential-compromise risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal