Back to skill

Security audit

Meeting Minutes Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill does what it claims, but it can send sensitive meeting notes to Feishu and save action items locally without clearly requiring user approval.

Install only if you are comfortable with meeting notes being turned into a Feishu document and action items being stored locally. Before using it for confidential meetings, explicitly tell the agent whether to sync, who should have access, and whether to save action items; otherwise keep output local and avoid sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs file reads and writes (`assets/template.md`, `memory/action-items-{date}.json`) but does not declare any permissions or user-facing notice for those capabilities. Hidden persistence and local file access increase the chance of unintended data handling, especially because meeting minutes often contain sensitive business information.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation conditions are broad enough to trigger on general meeting-related context, which can cause the skill to engage on sensitive discussion content without clear user intent to save or sync it. In a corporate environment, overbroad activation raises the risk of accidental processing and downstream disclosure of confidential notes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs syncing rendered meeting content to Feishu and saving structured action items locally, but provides no warning, consent gate, or data-classification checks. Because meeting notes frequently include confidential discussions, participant identities, deadlines, and decisions, this can lead to unauthorized external disclosure and unintended local retention of sensitive data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.