ClawHub
Back to skill

Security audit

JT Meeting Summary

Security checks across malware telemetry and agentic risk

Overview

This is a prompt-only meeting and call summarization skill with minor privacy and language-scoping caveats, not hidden execution or data exfiltration.

Safe to install as prompt-only guidance. Use it only with transcripts you are comfortable giving to the model, and ask explicitly to mask phone numbers or preserve a non-Chinese output language when needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file gives privacy-preserving guidance to mask phone numbers and avoid repeatedly exposing them, but the output template immediately undermines that guidance by instructing inclusion of phone-number fields in multiple sections. In a call-summary skill that processes transcripts and caller identities, this inconsistency can cause unnecessary disclosure of personal data in generated summaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The markdown example normalizes re-printing phone numbers in the final output without any warning, consent check, or minimization rule. Because this skill is specifically for summarizing phone-call transcripts, the model may propagate sensitive identifiers into downstream notes, tickets, or shared documents where they are not needed.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The prompt hard-codes '中文为主;除原文专有英文外,禁止英文标注', which constrains output language regardless of the user's requested language. This is a prompt-safety and user-intent issue because it can override user preferences, cause misleading localization, and reduce usability in multilingual contexts, though it does not introduce code execution or data exfiltration risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal