Clickmeeting

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClickMeeting integration that can manage real account data, so users should confirm sensitive changes before using it.

Install only if you are comfortable connecting your ClickMeeting account through Membrane. Verify the Membrane CLI package before installing, connect only the intended account, and require explicit confirmation before sending invitations, generating access links or tokens, changing meetings, registering participants, using proxy requests for write operations, or deleting conferences.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents a permanent delete action without any warning, confirmation, or requirement to verify user intent. In an agent setting, exposing destructive capabilities without guardrails increases the chance of accidental or unauthorized data loss through ambiguous prompts or mis-execution.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The proxy request section enables arbitrary authenticated API operations beyond the predefined actions, but it provides no warning about privacy, scope, or the risk of mutating or exfiltrating sensitive ClickMeeting data. This materially expands the attack surface because an agent could be induced to perform unexpected reads, writes, or deletions through raw endpoint access.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal