Back to skill

Security audit

Zoom Meeting Assistance Rtms Unofficial Community

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a real Zoom meeting recorder, but it handles very sensitive meeting data with weak network and retention controls that users should review before installing.

Install only if you are prepared to run it as a sensitive recording service: obtain participant consent, restrict the webhook and toggle endpoints, verify Zoom webhook signatures, remove the disabled TLS validation, limit who can read the recordings folder, and define retention/deletion rules before using it for real meetings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes use of environment variables, webhook handling, direct network connections, and local recording storage, but the metadata shown does not declare corresponding permissions. That mismatch weakens reviewability and informed consent, because a user may enable a skill without realizing it can access secrets and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose frames the skill as a meeting assistant, but the file also documents persistent archival recording, raw media retention, ffmpeg post-processing, direct RTMS/WebSocket connectivity, and remotely callable notification toggles. This broader behavior materially increases privacy, data retention, and attack-surface risk because operators may not expect full-fidelity surveillance and auxiliary HTTP controls from the short description alone.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The /api/notify-toggle endpoints have no authentication or authorization, so any network-reachable caller can enable or disable outbound meeting notifications. In this skill, those notifications contain sensitive meeting-derived content, so an attacker can suppress alerts, interfere with operator awareness, or manipulate notification behavior without permission.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The media WebSocket is created with rejectUnauthorized: false, which disables TLS certificate validation and allows man-in-the-middle interception or impersonation of the media server. Because this stream carries live meeting audio, video, transcript, screenshare, and chat, exploitation could expose or alter highly sensitive meeting content in transit.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly promotes capturing audio, video, transcript, screenshare, chat, and sending AI-derived outputs over WhatsApp, but it does not warn about consent, notice, retention, or legal/privacy obligations. In a meeting-recording skill, this omission is security-relevant because operators may deploy invasive collection and third-party transmission without participant awareness, increasing the risk of unauthorized surveillance, data leakage, and noncompliance with privacy laws or workplace policies.

Missing User Warnings

High
Confidence
96% confidence
Finding
This skill records audio, video, transcripts, screenshare, chat, and generates AI analysis, yet the opening description does not prominently warn about extensive surveillance, retention, or consent implications. In the context of meeting software, that omission is especially dangerous because captured data is highly sensitive and may include confidential business, personal, or regulated information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The environment/setup guidance asks users to place Zoom credentials and notification targets in a .env file but does not warn about secret handling, rotation, least privilege, or preventing accidental disclosure. Because these values can grant webhook trust, API access, and outbound notification delivery, poor handling can lead to account compromise, spoofed events, or leakage of meeting summaries to unintended recipients.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Meeting transcripts, events, meeting UUIDs, stream IDs, and derived prompts are forwarded to an external agent process without any visible consent, disclosure, or data-minimization controls. In the context of a Zoom RTMS assistant, this is especially sensitive because transcripts and meeting metadata may contain confidential business discussions, personal data, or regulated information, and users may reasonably assume analysis stays within the skill's primary platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The notification helper can send arbitrary message content to an external WhatsApp or other configured channel without any user-facing disclosure or apparent consent boundary. In a meeting-assistant context, this is risky because summaries, alerts, or meeting-derived content could be exfiltrated to a personal device or third-party messaging service outside the participants' expectations and organizational controls.

Missing User Warnings

High
Confidence
82% confidence
Finding
The skill sends transcript and event-log content to external AI functions and may forward generated summaries and suggestions through notifications, but this file shows no validation of consent, data minimization, or provider-boundary controls. In a meeting assistant that processes potentially confidential business discussions, exporting live transcript content to third-party AI services materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This prompt directs the system to infer and quantify each participant’s emotional state from meeting transcripts without any warning, consent check, or sensitivity guard for interpersonal or psychological data. In the context of Zoom meeting capture and AI-powered analysis, this can expose sensitive behavioral inferences about identifiable individuals and create privacy, compliance, and workplace harm risks if users are unaware or have not consented.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This function persistently writes raw meeting audio to disk for each participant or mixed stream without any visible consent check, policy gate, retention control, or user-notice enforcement at the point of capture. In the context of a Zoom RTMS meeting assistant that records live meeting content, storing raw audio materially increases privacy, legal, and data-exposure risk because sensitive conversations may be retained locally and later accessed, exfiltrated, or mishandled.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly advertises capture of highly privacy-sensitive meeting content including audio, video, transcript, screenshare, chat, AI summaries, and WhatsApp notifications, but it provides no indication of consent requirements, participant notice, retention limits, or data handling safeguards. In a meeting-assistance skill, this omission is dangerous because the capability is inherently surveillance-like and could enable unauthorized collection or onward sharing of sensitive business or personal communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt explicitly instructs the system to analyze screen-share images, meeting events, participant presence/absence, and meeting identifiers without any built-in minimization, consent check, or warning about sensitive visual and participant data. In a meeting-assistant context, this can expose confidential documents, PII, attendance patterns, and other sensitive business information to downstream summarization and tagging flows beyond what users may reasonably expect.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"version": "1.0.0",
  "type": "module",
  "dependencies": {
    "dotenv": "^16.4.1",
    "express": "^4.21.2",
    "pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
Confidence
91% confidence
Finding
"dotenv": "^16.4.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"type": "module",
  "dependencies": {
    "dotenv": "^16.4.1",
    "express": "^4.21.2",
    "pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
    "sharp": "^0.34.4",
Confidence
91% confidence
Finding
"express": "^4.21.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "dotenv": "^16.4.1",
    "express": "^4.21.2",
    "pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
    "sharp": "^0.34.4",
    "ws": "^8.16.0"
Confidence
90% confidence
Finding
"pdfkit": "^0.17.2"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dotenv": "^16.4.1",
    "express": "^4.21.2",
    "pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
    "sharp": "^0.34.4",
    "ws": "^8.16.0"
  }
Confidence
89% confidence
Finding
"pixelmatch": "^7.1.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"express": "^4.21.2",
    "pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
    "sharp": "^0.34.4",
    "ws": "^8.16.0"
  }
}
Confidence
90% confidence
Finding
"sharp": "^0.34.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"pdfkit": "^0.17.2",
    "pixelmatch": "^7.1.0",
    "sharp": "^0.34.4",
    "ws": "^8.16.0"
  }
}
Confidence
94% confidence
Finding
"ws": "^8.16.0"

Known Vulnerable Dependency: ws==8.16.0 — 3 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure); CVE-2026-48779 (ws: Memory exhaustion DoS from tiny fragments and data chunks)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.16.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.insecure_tls_verification

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
chatWithClawdbot.js:28

HTTPS certificate verification is disabled.

Warn
Code
suspicious.insecure_tls_verification
Location
index.js:610