Back to skill

Security audit

Meeting Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a real meeting-recording assistant, but it exposes sensitive recording and window-inspection controls too broadly for a desktop skill.

Install only if you are comfortable granting microphone, system-audio, Accessibility, and optional calendar access. Before use, restrict the AudioDaemon socket permissions, avoid enabling the public calendar tunnel unless needed, keep output set to local file unless you intend to share summaries externally, and review any external LLM or Notion/Telegram/Zulip configuration because transcripts and summaries may contain sensitive meeting content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            os.kill(pid, signal.SIGTERM)
            # 也杀所有同名进程(防残留)
            subprocess.run(
                ["pkill", "-f", "recorder_status"],
                capture_output=True,
            )
Confidence
92% confidence
Finding
subprocess.run( ["pkill", "-f", "recorder_status"], capture_output=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
script = f'display notification "{message}" with title "{title}"'
    if subtitle:
        script += f' subtitle "{subtitle}"'
    subprocess.run(["osascript", "-e", script], capture_output=True)


def _fallback_dialog(message, buttons, default_button, timeout=60):
Confidence
97% confidence
Finding
subprocess.run(["osascript", "-e", script], capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f'default button "{default_button}" '
        f'giving up after {timeout}'
    )
    result = subprocess.run(
        ["osascript", "-e", script],
        capture_output=True,
        text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ["osascript", "-e", script], capture_output=True, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log(f"✅ schedule.json 已更新,{len(events)} 个事件")

        try:
            r = subprocess.run(
                ["pgrep", "-f", "scheduler_daemon.py"],
                capture_output=True, text=True, timeout=5,
            )
Confidence
77% confidence
Finding
r = subprocess.run( ["pgrep", "-f", "scheduler_daemon.py"], capture_output=True, text=True, timeout=5, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
prompt = SUMMARY_PROMPT.format(title=meeting_title, transcript=transcript)
    print(f"🤖 LLM: {shlex.join(cmd)}")
    try:
        result = subprocess.run(
            cmd,
            input=prompt,
            capture_output=True,
Confidence
86% confidence
Finding
result = subprocess.run( cmd, input=prompt, capture_output=True, text=True, timeout=180, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# SIGHUP scheduler 重载
        try:
            r = subprocess.run(
                ["pgrep", "-f", "scheduler_daemon.py"],
                capture_output=True, text=True, timeout=5,
            )
Confidence
72% confidence
Finding
r = subprocess.run( ["pgrep", "-f", "scheduler_daemon.py"], capture_output=True, text=True, timeout=5, )

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module explicitly states that queued events are later read by an agent and pushed to Telegram, which expands data flow beyond the skill's stated local meeting automation/transcription scope. Because event metadata can include meeting titles and file paths to transcripts or summaries, this creates an external notification channel that could expose sensitive meeting information if users are not clearly informed and consenting.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The daemon exposes a `windows` action that enumerates titles of all regular application windows via Accessibility APIs and returns them to any local client connected to the socket. Window titles often contain sensitive information such as document names, private messages, meeting topics, or URLs, and this capability goes beyond the minimum needed for audio capture unless tightly scoped and authenticated.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Unix socket command interface accepts `start`, `stop`, `status`, `windows`, and `quit` from any local client without verifying the peer identity or requiring a secret. Combined with the daemon's microphone/system-audio capture role, this lets another local process control recording state, inspect readiness, and interfere with operation, creating a serious privacy and abuse risk.

Scope Creep

High
Confidence
99% confidence
Finding
After binding the Unix socket, the daemon sets permissions to `0o666`, making the control socket world-writable. This significantly broadens access so any local user or process on the machine can attempt to send control commands, magnifying the unauthenticated IPC issue into a cross-process and potentially cross-user privacy exposure.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill advertises local/native meeting automation, but this script creates a public Cloudflare tunnel and registers externally reachable Google webhook endpoints. That materially expands the attack surface beyond local automation and increases exposure to unsolicited internet traffic and webhook abuse.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The public webhook accepts POSTs from anyone reaching the tunnel and triggers schedule synchronization based only on an easily spoofed X-Goog-Resource-State header. An attacker can repeatedly invoke sync_calendar_to_schedule, causing resource consumption, log noise, and potentially repeated access to calendar/OAuth flows without any origin authentication.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script explicitly supports sending meeting summaries to external services (Notion, Telegram, Zulip), which expands data flow beyond purely local note generation. Because meeting notes commonly contain sensitive business or personal content, adding publication channels creates a real confidentiality and compliance risk if users are not clearly warned and required to opt in.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The server binds to `0.0.0.0` and accepts unauthenticated POST requests to `/calendar-webhook`, triggering background synchronization work. Even though the handler returns only `OK`, exposing this endpoint broadly allows any reachable party to induce repeated sync activity and local process signaling, expanding the attack surface unnecessarily for a desktop meeting assistant.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persistently writes a notification queue under the user's home directory without any in-code disclosure, retention control, or permission hardening. Since queued entries may contain meeting titles and paths to transcript or summary files, the local artifact can leak sensitive workflow metadata to other local processes, backups, or users on misconfigured systems.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script sends calendar query parameters and receives meeting metadata through an external CLI/OAuth-integrated service without any explicit user-facing notice at the time of access. In a meeting-assistant skill that handles sensitive scheduling data, this increases privacy risk because titles, attendees, links, and descriptions may be exposed to third-party tooling or accounts unexpectedly.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The meeting detection keywords are broad enough to match ordinary browser windows, chat/call states, and generic phrases like '正在通话' or 'Meet -', which can cause unintended meeting detection. In this skill’s context, a false detection is especially sensitive because it can trigger recording/transcription workflows involving microphone and system audio, creating a privacy and consent risk even if the implementation later prompts the user.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The detector inspects window titles and visible applications to infer whether the user is in a meeting, which can expose sensitive context such as contact names, meeting names, or private browser tab/window titles. Although the skill description mentions meeting automation, this file performs background surveillance-style collection and logging of UI context without an explicit in-file consent flow or clear minimization controls, making privacy abuse or accidental overcollection more plausible.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The Notion path uploads full meeting-summary content to a third-party service without any runtime privacy notice, consent gate, classification check, or redaction step. In the context of a meeting assistant, this is particularly risky because summaries may include confidential discussions, credentials, customer data, or regulated information.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script copies a Google OAuth client secret into a predictable config directory under the user's home folder without warning about sensitivity or tightening permissions. While OAuth client secrets for desktop apps are not equivalent to user access tokens, careless storage can still expose API configuration to other local processes or users on a shared system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Meeting transcripts often contain confidential business, personal, or regulated information, and this code can pass the entire transcript to an external LLM command without any explicit warning or runtime consent in the function itself. In the context of a meeting-recording skill, this is more dangerous because users may assume transcription stays local while summaries may actually be generated by a remote service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code enumerates all regular running applications and extracts their window titles via macOS Accessibility APIs, then prints the collected data as JSON. Window titles frequently contain sensitive information such as document names, chat subjects, email subjects, meeting names, and URLs, and the script provides only the system accessibility permission prompt rather than a clear in-skill disclosure or scoped consent for this specific collection.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.