ClawHub

Join meeting

Security checks across malware telemetry and agentic risk

Overview

The skill is a real meeting bot integration, but it gives live meeting input a path to sensitive agent actions and local data exposure that users should review carefully before installing.

Install only if you are comfortable with a meeting bot that can transcribe participants, take screenshots, send chat, screenshare, and expose selected localhost pages through AgentCall. Use it in trusted meetings, notify participants as required, keep agent permissions restrictive during calls, avoid sharing sensitive local services through the tunnel, and protect or rotate the plaintext API key stored under ~/.agentcall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (82)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly tells the agent to read files, edit code, run commands, and continue doing tool work while live meeting participants can influence it via transcripts and chat. This creates a prompt-injection-to-tool-execution path where untrusted meeting attendees can indirectly drive sensitive local actions unrelated to merely joining a meeting.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill allows exposing arbitrary localhost webpages to meeting participants through a shareable tunnel URL. That can unintentionally publish sensitive local content or internal tools beyond the intended meeting context, especially if the agent is instructed to serve files from local directories under participant influence.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The bridge exposes a screenshot capability that is not reflected in the described protocol or expected skill scope, creating a hidden surveillance feature. In a meeting-join skill, screenshots can capture shared screens, participant video, code, documents, or other sensitive material and forward that data to the controlling agent without clear operator awareness.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documented stdin command set omits the screenshot command even though the code accepts it, which creates a dangerous mismatch between reviewed behavior and actual capability. Security reviewers and users may approve or run the bridge believing it only supports voice/chat actions while it can also capture visual meeting content.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The top-level protocol documentation omits screenshot command and result events, hiding a material data-access capability from anyone relying on the documented interface. For a meeting bridge, undocumented visual capture materially changes the privacy and threat profile because the agent can receive meeting imagery in addition to transcripts and chat.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The README expands a meeting-join capability into a general-purpose assistant that can query company data, search documents, and create tickets during a live meeting. This materially broadens the operational scope and trust boundary of the skill, increasing the chance that users or integrators deploy it with sensitive backends and action-taking permissions they did not expect from a meeting-join feature.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The Slack extension demonstrates outbound messaging unrelated to merely joining meetings, creating a ready-made channel for data movement from the meeting context into external systems. In a meeting assistant that processes transcripts and business context, this can enable unauthorized sharing of sensitive information or social-engineering messages to internal channels.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The assistant persistently saves full meeting logs locally, including transcript text, participant identities, task history, and voice state events. In a meeting-bot context this creates unnecessary data retention and increases the chance of later disclosure of sensitive business or personal information beyond the core purpose of joining and participating in the call.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The ticket-creation tool enables external state-changing actions that exceed passive meeting participation and can be triggered from meeting-derived queries. In a meeting context, transcript misunderstandings, prompt injection from participants, or ambiguous requests could cause unwanted tasks/issues to be created in third-party systems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The README explicitly describes exporting meeting audio, participant information, and transcripts to an external LLM service and local files, which materially expands data exposure beyond merely joining a meeting. This creates meaningful confidentiality and compliance risk if users deploy the example without understanding that sensitive meeting contents are being transferred to third parties and retained locally.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads an API key from ~/.agentcall/config.json in addition to environment variables, which expands its access to local secrets beyond the immediate CLI invocation. In an example skill whose stated purpose is joining a meeting, accessing credentials from the user's home directory is a sensitive capability and can surprise users or bypass least-privilege expectations, even though it appears intended for convenience rather than abuse.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file implements a full customer-support conversation agent with knowledge-base lookup, LLM decision logic, and call handling behavior, which materially exceeds the manifest's stated 'join a video meeting' capability. This mismatch can mislead operators about what the skill will do and cause them to run code that handles conversations and customer data without expecting those behaviors.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The code persistently stores full call transcripts to local Markdown files, but the manifest only describes joining meetings. Undisclosed local storage of potentially sensitive customer conversations increases privacy and compliance risk because operators may not realize recordings/transcripts are retained on disk.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The guide explicitly encourages the meeting bot to fetch CRM, database, documentation, and analysis results and then inject them into the live meeting context. That expands the skill from merely joining a meeting into broad data retrieval and synthesis, increasing the chance that sensitive internal data is surfaced to participants without sufficient authorization, scoping, or user confirmation.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The documentation promotes predictive context updates and unsolicited contributions, allowing the bot to preload topic-relevant data and speak into meetings without being directly asked. In a meeting-join skill, this can cause unrequested disclosure of sensitive operational or business information and makes the bot behave more like an autonomous participant than a passive assistant.

Context-Inappropriate Capability

Medium
Confidence
76% confidence
Finding
The skill is presented as a meeting-join capability, but the client exposes additional account-level operations including listing calls, retrieving arbitrary call details, fetching transcripts, and deleting calls. In an agent-skill context, this expands the authority available to the agent beyond user expectations and could enable unauthorized access to sensitive meeting metadata or destructive actions if invoked improperly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This code allows a remote AgentCall-controlled endpoint to send arbitrary HTTP requests into a localhost service, effectively exposing local-only interfaces through the tunnel. Because the forwarded path, method, headers, and body are taken directly from remote input with no allowlist, authentication enforcement, or scope restriction, an attacker who can use or compromise the tunnel backend could reach sensitive local admin APIs or development services.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file implements a general-purpose HTTP tunnel rather than a narrowly scoped meeting-join function, materially expanding the skill's attack surface beyond its stated purpose. In the context of a meeting bot skill, this mismatch is more dangerous because users and reviewers may not expect that enabling the skill also grants a remote service reachability into localhost.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The bridge accepts a stdin `screenshot` command and emits raw screenshot data back to the agent, which materially expands the skill from meeting attendance into visual capture of participant screens, presentations, and shared content. In a meeting context this can expose sensitive documents, chats, credentials, or proprietary material to the agent framework without clear scope limitation or consent controls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description is broad enough to encourage invocation for any meeting-related request without clearly stating boundaries, consent requirements, or approval gates. In a skill that can autonomously join calls and interact via voice/video, vague triggering increases the chance of unintended activation and unauthorized participation in sensitive meetings.

Missing User Warnings

High
Confidence
97% confidence
Finding
The manifest advertises capabilities with significant privacy and data-handling consequences—joining meetings, real-time transcription, avatar/video presence, and screensharing—without any user-facing warning about consent, recording/transcription notice, or exposure of sensitive information. In this context, omission is dangerous because the skill is specifically designed to enter live communication environments where confidential business, personal, or regulated data may be disclosed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes real-time transcription, screenshots, chat access, and screensharing in live meetings without clearly warning about participant consent, legal restrictions, or privacy obligations. In this skill's context, that omission is significant because the tool is explicitly designed to join third-party meetings as a bot, making covert or non-consensual collection of meeting content more likely if users are not clearly instructed to obtain authorization.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes joining meetings, ingesting transcripts, and participating as a bot without requiring clear participant notice or consent guidance. In many environments this creates privacy, compliance, and trust risks because attendees may not know they are being recorded, transcribed, or analyzed by an AI agent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to persist the API key in plaintext under ~/.agentcall/config.json without a security warning or stronger storage recommendation. Plaintext credential storage increases the chance of theft by other local users, malware, backups, logs, or accidental file exposure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes joining live meetings, ingesting speech transcripts, and handling meeting chat, but it does not clearly warn users that spoken content, chat messages, URLs, code, logs, and other potentially sensitive material will be transmitted to external services and processed by the bot. In this skill context, that omission is more dangerous because the bot is intended for coding sessions where secrets, internal code, and production details are commonly discussed or pasted.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal