ClawHub
Back to skill

Security audit

tencent-meeting

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it handles Tencent Meeting credentials, meeting creation, recordings, and transcripts, so it should be used with care.

Install only if you intend to let an agent use Tencent Meeting API credentials. Use scoped, revocable credentials; confirm before creating meetings or retrieving recordings/transcripts; avoid using broad generic prompts when you mean another calendar or meeting tool; and remember that terminal output or logs may contain transcript text, recording URLs, or temporary auth headers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger list includes broad phrases such as 'schedule a meeting', 'meeting transcript', and 'meeting recording', which can match many generic user requests not clearly intended for Tencent Meeting. Over-broad activation can route unrelated conversations into a skill that can create meetings or access recordings/transcripts, creating privacy and integrity risk through accidental invocation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill documents workflows for listing cloud recordings, obtaining download URLs, and extracting meeting transcripts, but provides no user-facing warning or consent guidance for handling highly sensitive audio, text, and AI summaries. In this context, transcripts and recordings may contain confidential business discussions or personal data, so omission of privacy safeguards materially increases the risk of unauthorized disclosure or misuse.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide explicitly documents endpoints for listing recordings and extracting meeting transcripts, which are highly sensitive artifacts containing private conversations and metadata, but it provides no warning about consent, authorization scope, retention, or privacy handling. In a skill designed to manage Tencent Meeting resources, this omission increases the chance that downstream implementations expose or retrieve transcripts without adequate user awareness, policy checks, or least-privilege controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal