ClawHub

Imposter Smasher for Events and Meetings

Security checks across malware telemetry and agentic risk

Overview

This skill coherently prepares meeting briefings, but users should know it may use calendar details and external research or audio services.

Install only if you are comfortable using this skill with calendar metadata and selected meeting details. For confidential meetings, paste a sanitized event summary instead of granting calendar access, limit attendee details, and skip third-party audio generation unless the provider’s data handling is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill processes privacy-sensitive meeting data, including calendar events, organizers, and attendee details, but does not clearly warn the user about the sensitivity of that information or how it will be handled. This can lead to overcollection or disclosure of personal and business-sensitive metadata without informed consent, especially in high-stakes meeting contexts.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states that it uses external research and audio-generation services, but it does not explicitly warn that meeting-related content, participant identities, and possibly sensitive business context may be transmitted to third parties. In a meeting-prep skill, this materially increases risk because confidential or personal data could be exposed outside the primary platform without the user's informed approval.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The implementation notes explicitly instruct the skill to fetch next-day calendar events and research meeting participants, which involves potentially sensitive personal and professional data. Without an explicit user-facing notice, consent step, or data-minimization guidance, the skill may access or aggregate private information in ways the user does not fully expect, increasing privacy and trust risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists meeting-derived content to disk in multiple files, including an executive summary, audio script, and manifest, without any built-in notice, consent gate, minimization, or retention control. In the context of a meeting-prep skill, these files can contain sensitive calendar details, attendee names, internal notes, and research outputs, so silent persistence increases the risk of unintended disclosure through shared directories, backups, logs, or later reuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal