ClawHub

Open Utter (Meeting Bot)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Meet transcript bot, but it needs Review because it can capture and share sensitive meeting visuals/transcripts, reuse a saved Google session, disguise browser automation, and has an unsafe shell command path.

Install only if you are comfortable with a bot joining meetings, saving transcripts and screenshots locally, and sending meeting images/status updates to the active OpenClaw chat target. Prefer guest mode or a dedicated low-privilege Google account, protect or delete ~/.openutter/auth.json after use, set a duration or stop the bot when done, and avoid use in meetings without appropriate participant consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script does more than passively capture captions: it sends screenshots and status updates to an external chat channel via `openclaw message send`. That creates an additional data-exfiltration path for potentially sensitive meeting content and metadata beyond the stated transcripting purpose, especially because screenshots can expose participant identities, chat, and shared content.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The stealth script deliberately alters browser fingerprints such as `navigator.webdriver`, plugins, languages, permissions, and WebGL values to evade automation detection. In a meeting bot, this is dangerous because it is specifically designed to bypass platform defenses and access controls that may be intended to block unauthorized or policy-violating automated attendance.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This script adds an on-demand screenshot capability by signaling a running bot and reading back the saved screenshot path, which exceeds the stated purpose of capturing live captions/transcripts. In a meeting bot context, screenshots can capture participant video, shared screens, chat, or other sensitive visual content, creating broader surveillance and privacy risk than transcript-only collection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill maps broad natural-language prompts like asking what's happening or to summarize the meeting directly to transcript retrieval and summarization. In an agent setting, overly broad trigger phrases increase the chance of accidental activation, causing the agent to expose meeting contents when the user may have intended a general question rather than authorization to access private transcripts.

Vague Triggers

Low
Confidence
78% confidence
Finding
Phrases like 'what do you see' are highly ambiguous and can occur in ordinary conversation, yet the skill mandates taking and sending a screenshot when they appear. In a meeting context, that can lead to unintended capture and transmission of sensitive visual information from a live call without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists an authenticated Google browser session to ~/.openutter/auth.json using Playwright storageState, which typically includes cookies and other session artifacts that can allow account reuse without re-authentication. Storing this material unencrypted on disk creates a real credential theft risk if the host is multi-user, compromised, backed up insecurely, or if file permissions are too broad.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
After joining, the bot captures a screenshot of the meeting, enables live captions, writes transcripts to disk, and may send screenshots/status messages externally, but there is no in-flow privacy notice or explicit consent check at the point of capture. In the context of live meetings, this can collect sensitive communications and participant data without adequate disclosure to the operator or attendees.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The script will automatically use previously saved Google authentication state from `~/.openutter/auth.json` when present, with only console logging as disclosure. This can cause the bot to join meetings under a real user account unexpectedly, expanding access and attribution risks if the operator did not explicitly choose authenticated mode at execution time.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal