ClawHub

meetmind

Security checks across malware telemetry and agentic risk

Overview

MeetMind is a coherent meeting-notes assistant, but it can send sensitive meeting text or audio plus a persistent user ID to a cloud service without enough user control or privacy detail.

Install only if you are comfortable sending meeting content, audio, participant details, and a stable user identifier to the vendor’s cloud service. Avoid using it for confidential, regulated, legal, HR, customer, or internal strategy meetings unless the publisher provides acceptable privacy, retention, deletion, and security terms, and prefer invoking it explicitly with MeetMind or @meetmind rather than relying on generic triggers.

Publisher note

Supports pasting text and uploading audio, automatically recognizing 9 types of meeting templates - Based on the ACE six-dimensional structure, outputs structured minutes and supports cross-meeting memory tracking (paid version) - The free tier allows for pasting text, with 10 free trials; the paid tier supports audio transcription and advanced features - Automatically generates and manages user IDs, eliminating the need for manual configuration and supporting multi-device synchronization - Intelligently matches meeting types through keywords, with cloud-based API providing refined processing - Multi-tiered billing and enterprise-customized templates to meet different user needs

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad everyday phrases such as '会议纪要', '会议记录', and regex-like patterns that could match ordinary conversation, increasing the chance the skill is invoked unintentionally. In this skill's context, accidental invocation is more dangerous than usual because the skill is designed to send meeting content to a cloud API, so a false trigger could cause unintended disclosure of sensitive business discussions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states that it automatically generates and persists a user ID and sends it to cloud endpoints, but it does not provide clear consent language, retention details, data-use scope, or a meaningful privacy notice. Because this skill processes meeting text/audio and supports cross-meeting memory, inadequate disclosure can lead to covert tracking and transmission of highly sensitive corporate or personal information without informed user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The client sends transcription text, audio, meeting titles, participants, and related context to a remote third-party API. In a meeting assistant context, this data is likely highly sensitive business or personal content, and the code provides no explicit consent flow, warning, or local/offline alternative before exfiltrating it off-device.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code generates or reads a persistent user identifier, stores it locally, and transmits it in headers and request parameters to the remote service without notice. Persistent identifiers enable tracking across sessions and correlation of multiple uploads, increasing privacy risk and making sensitive meeting data attributable to a consistent user profile.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal