Back to skill

Security audit

Minutes Sync

Security checks across malware telemetry and agentic risk

Overview

This skill clearly creates meeting minutes and syncs them to Feishu, with no hidden code or deceptive behavior in the reviewed artifacts.

Install this only if you want meeting minutes uploaded to Feishu. Before first use, verify the separate feishu-doc helper skill, confirm the active Feishu account and target folder, and review any share or ownership-transfer options before using them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill description includes broad triggers like taking meeting notes, summarizing discussions, and when a meeting ends, which can match many ordinary note-taking requests. This can cause the skill to activate unexpectedly and route sensitive conversational content into an automated workflow that generates and syncs minutes to Feishu, increasing the chance of unintended data handling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill prominently advertises Feishu sync but does not clearly warn users up front that meeting content may be transmitted to and stored in Feishu. In the context of meeting minutes, this is especially risky because notes often contain confidential business discussions, attendee information, decisions, and action items, so silent syncing can create privacy, compliance, and data leakage issues.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide documents `--share` and `--owner` operations that can broaden access to meeting minutes or transfer control of a document, but it provides no warning, confirmation requirement, or scope limitation. In the context of meeting minutes, the content often contains sensitive internal discussions, so normalizing these operations without permission-impact guidance increases the risk of accidental data exposure or improper ownership changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.