Back to skill

Security audit

Meeting Summary

Security checks across malware telemetry and agentic risk

Overview

This meeting-summary skill is mostly purpose-aligned, but it needs review because it sends sensitive meeting content to external services, stores voiceprint biometrics locally, and has weak scoping around some paths and endpoints.

Review before installing. Use it only for recordings you are allowed to send to StepFun or another configured LLM endpoint, obtain participant consent before voiceprint enrollment or speaker identification, periodically delete caches and stored voiceprints, and avoid path-like speaker names such as names containing slashes or '..' until the voiceprint path handling is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tainted flow: 'cmd' from os.environ.get (line 130, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run_command(cmd: List[str], timeout: int = 300) -> subprocess.CompletedProcess:
    return subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)


def preprocess_audio(audio_path: str) -> Tuple[str, Dict[str, object]]:
Confidence
86% confidence
Finding
return subprocess.run(cmd, capture_output=True, text=True, timeout=timeout)

Tainted flow: 'req' from os.environ.get (line 1063, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req, timeout=180) as resp:
            raw = resp.read().decode("utf-8", errors="replace")
    except urllib.error.HTTPError as exc:
        err_body = exc.read().decode("utf-8", errors="replace")
Confidence
97% confidence
Finding
with urllib.request.urlopen(req, timeout=180) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly exercises sensitive capabilities including shell execution, environment variable access, file reads/writes, and network use, yet no explicit permissions are declared. This weakens review and user awareness, making it easier for a privacy-sensitive workflow to run with more power than users or platform policy expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly instructs users to upload meeting audio to a third-party ASR service but does not warn that recordings may contain confidential business discussions, personal data, or regulated information. In a meeting-summary skill, this omission is security-relevant because users may unknowingly transmit sensitive audio off-device without assessing consent, retention, or compliance requirements.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill supports voiceprint enrollment and speaker identification, which involves biometric data processing, yet the README presents this as a normal feature without a clear warning about consent, storage, misuse, and legal sensitivity. Because voiceprints are persistent identifiers and harder to rotate than passwords, collecting and matching them raises materially higher privacy and abuse risk than ordinary transcription.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The recommended workflow tells users to generate a quick summary and 'send it out' before review, even though elsewhere the README acknowledges diarization, speaker estimation, and summary quality can be imperfect. In this context, encouraging distribution of unreviewed outputs can leak incorrect attributions, decisions, or action items, causing operational and privacy harm.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrases include common requests like '总结会议/会议纪要/帮我总结录音' and related variants that could match ordinary conversation and cause the skill to activate unexpectedly. Because this skill handles recordings, voiceprints, and external transmission, accidental invocation increases the chance of unintended sensitive-data processing.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill processes meeting audio, performs speaker diarization and voiceprint matching, and sends content to external APIs, but the description does not prominently warn users about privacy-sensitive handling, third-party transmission, or consent requirements. In a meeting-recording context, this is especially risky because conversations often contain personal, confidential, or regulated business information about multiple people.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documented voiceprint enrollment and identification commands enable biometric collection and matching without any explicit warning about biometric sensitivity, consent, retention, or misuse risks. Biometric identifiers are highly sensitive and mistakes or unauthorized enrollment could expose users to privacy harm, impersonation concerns, or compliance violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs users to use remote StepFun ASR and LLM services for transcription and summarization, which means meeting audio and derived content may be transmitted off-device. In a meeting-summary context this can expose sensitive business discussions, personal data, or regulated content if users are not clearly warned about the privacy and data-handling implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code sends meeting-derived content to an external LLM service without any visible consent, warning, or redaction flow in the skill. Because the skill handles recordings, transcripts, participants, and reference notes, the context makes undisclosed third-party transmission especially sensitive.

Missing User Warnings

High
Confidence
91% confidence
Finding
The script persists biometric voiceprint embeddings to disk under a predictable user workspace path without any consent prompt, retention controls, access hardening, or encryption. Biometric data is highly sensitive and effectively irreversible; if the local workspace is exposed, copied, or shared, stored voiceprints could be misused for identification, correlation, or privacy violations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The diarization command can write speaker-labeled transcript output to an arbitrary file path, creating a persistent record that combines speech content with inferred identity. In the context of a meeting-summary skill, that materially increases privacy risk because transcripts may contain confidential business or personal information and speaker attribution makes the data more sensitive.

Ssd 3

Medium
Confidence
93% confidence
Finding
The speaker-count estimation path forwards raw transcript text and potentially known participant names to an external LLM. Even though this is a helper step, it still discloses sensitive meeting content to a third party, which is dangerous in a meeting-processing skill where recordings may contain confidential business or personal data.

Ssd 3

High
Confidence
98% confidence
Finding
The summarization request sends a large portion of the transcript, participant identities, reference notes, and confidence annotations to an external LLM. In this skill context, that is sensitive organizational data exfiltration by design, and it becomes even more dangerous because the endpoint is separately configurable via environment variable.

External Transmission

Medium
Category
Data Exfiltration
Content
| `HF_TOKEN` | 空 | Hugging Face token(pyannote gated model 需要) |
| `STEPFUN_API_KEY` | 从 `~/.stepfun_api_key` 读取 | StepFun API Key |
| `MEETING_SUMMARY_LLM_MODEL` | `step-3.5-flash` | LLM 模型名 |
| `MEETING_SUMMARY_LLM_URL` | `https://api.stepfun.com/v1/chat/completions` | LLM API 地址 |
| `MEETING_SUMMARY_WORKSPACE` | `~/.openclaw/workspace` | 工作区根目录 |

---
Confidence
88% confidence
Finding
https://api.stepfun.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.