ClawHub

Pilot Meeting Assistant Setup

Security checks across malware telemetry and agentic risk

Overview

This appears to be a meeting-workflow skill that openly moves meeting information into related tools, but users should handle private meeting content carefully.

Install only if you are comfortable sending meeting titles, attendee identifiers, notes, decisions, action items, reminders, and links to the configured calendar, Slack, or archive destinations. Use test data in examples, redact confidential content where possible, confirm attendee or company approval for sharing, and review retention and access controls for any downstream tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes an automated workflow that collects and forwards attendee identities, meeting notes, decisions, and reminders between multiple agents and an external Slack destination, but it does not warn operators about privacy, consent, retention, or sensitivity of meeting content. In a meeting-assistant context, this data commonly contains confidential business and personal information, so omission of handling guidance increases the likelihood of unsafe deployment and inadvertent disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The usage examples include realistic-looking attendee emails, decisions, action items, reminder text, and a notes URL, normalizing the publication of potentially sensitive meeting content without any caution about using synthetic/sample data or protecting production information. Because this skill is specifically designed to move meeting data among agents and external services, operators may copy these patterns directly into real environments and expose confidential information.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill explicitly configures external transmission of meeting-related data, including webhook-based calendar syncing and Slack reminders, but provides no privacy notice, consent step, minimization guidance, or warning about sharing attendee and meeting metadata with third parties. In a meeting assistant context, these fields can contain sensitive business information and personal identifiers, so silent external disclosure creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest and workflow examples show attendee email addresses, meeting notes, decisions, and action items being stored and forwarded between agents without any warning about sensitivity, retention, or downstream disclosure. Because meeting notes often include confidential internal discussions and personal data, normalizing storage and propagation without safeguards materially increases the chance of oversharing or improper retention.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal