ClawHub

Meetlark - coordinate a meeting

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Meetlark scheduling-poll integration, but users should treat poll admin tokens and individual vote results as sensitive.

Install only if you are comfortable using Meetlark for scheduling data. Keep the admin token private, share only the participation URL, avoid exposing individual votes unless necessary, and remove the admin token from agent memory or notes once the poll is closed or no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to store a private admin token in memory for the poll's lifetime, but provides no guidance on minimization, secure storage, retention limits, or user consent. Because the admin token grants access to full results and poll control actions, retaining it in agent memory increases the chance of unintended disclosure through memory leakage, prompt injection, logging, or cross-task reuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill states that the poll results endpoint returns individual votes, but it does not warn that participant-level voting data may be sensitive personal information. In a scheduling context, individual availability can reveal work patterns or private constraints, so encouraging retrieval of this data without notice or need-to-know limits creates a privacy risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The natural-language instruction to retain the private admin token in agent memory for the poll lifetime creates a concrete secret-retention risk. In agent systems, memory can persist across sessions, be surfaced in debugging or summaries, or be exfiltrated via prompt injection, making long-lived retention of an administrative bearer token unnecessarily dangerous.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal