Back to skill

Security audit

Meeting Prep Brief - 会前材料制作

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent meeting-prep helper, but users should be careful with sensitive meeting documents and optional Tencent Docs syncing.

Install only if you intend to use it for structured meeting briefs. Do not provide confidential, regulated, or personal materials unless you are authorized, and use Tencent Docs sync only when you deliberately want the generated brief or attachment-derived content sent to that external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises a very broad natural-language trigger phrase, which can cause the skill to activate during ordinary conversation rather than only on clear user intent. In an assistant environment, unintended activation matters because this skill may perform web research, parse attachments, and prepare/share structured outputs, increasing the chance of unnecessary data handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the skill performs web research, extracts information from PPT/PDF attachments, and can sync content to Tencent Docs, but it does not clearly warn users what data may be transmitted, stored, or shared externally. In a meeting-prep context, inputs commonly include confidential business plans, partner information, and internal documents, so missing privacy and transmission disclosures can lead to accidental exposure of sensitive data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger terms are very broad and include common phrases such as meeting preparation and meeting summary, which can cause the skill to activate on ordinary requests without clear user intent. In a skill that processes attachments and may generate external documents, overbroad activation increases the chance of unintended data handling or disclosure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The example prompts are phrased as ordinary everyday requests, so users may invoke the skill unintentionally without realizing it will collect files and generate structured outputs. This is risky because the skill is designed for potentially sensitive business meetings and may process confidential materials under a generic request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises syncing content to Tencent Docs but does not clearly disclose that meeting data may be transmitted to a third-party service or shared through an external document platform. Because this skill is intended for briefing materials, the data likely includes sensitive commercial, organizational, or personal information, making silent transmission materially dangerous.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill encourages users to provide invitation letters, presentations, and links, but it does not warn that these materials may contain confidential business information, partner data, or internal strategy. In the context of meeting preparation, attachments are especially likely to be sensitive, so omission of handling guidance increases the risk of accidental exposure.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The top-level skill description casts a very wide net over common meeting-related requests, making accidental invocation likely when a user only wants a summary or general preparation help. Over-broad routing can cause the agent to activate unnecessary capabilities such as document parsing, web research, HTML generation, or Tencent Docs publishing in contexts where the user did not clearly ask for them, increasing risk of unintended data handling.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger guidance relies on vague keywords like "briefing" and "等关键词" without clear scope boundaries, which can cause false-positive activation on ordinary conversation about meetings. In this skill, that matters because activation can lead to broad information collection and optional external synchronization, so ambiguous triggering increases the chance of unnecessary access to sensitive meeting context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.