ClawHub

Bytesagain Meeting Minutes

Security checks across malware telemetry and agentic risk

Overview

This is a local meeting-minutes tool with real privacy caveats around where notes are saved, but its behavior matches its stated purpose and shows no hidden remote access or destructive actions.

Install only if you are comfortable storing meeting notes on this machine. Avoid using it for highly sensitive meetings on shared systems, and periodically delete old files from ~/.bytesagain-meetings and /tmp/meeting-*.md if they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The export command does more than its terminal-oriented description suggests: it also persists meeting content to /tmp. Because meeting minutes may contain sensitive internal discussions, decisions, and action items, silently writing them to a shared temporary location creates an unnecessary confidentiality risk and broadens data exposure beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Writing meeting content to /tmp can expose potentially sensitive notes to other local users or processes, especially on multi-user systems where temporary directories are commonly scanned or retained. The fixed, predictable filename /tmp/meeting-<id>.md also increases the chance of unintended access, overwrite, or symlink-related misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The help output omits important disclosure that meeting data is stored persistently under the user's home directory and that exports are additionally written to /tmp. This lack of transparency can cause users to enter sensitive information under the mistaken belief that it is only displayed transiently in the terminal, increasing the likelihood of accidental data exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal