ClawHub

MeetingPrep Auto-Generate Meeting Briefs

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward meeting-brief generator, with sensitive calendar and workspace context use that is disclosed enough to treat as expected for its purpose.

Install only if you are comfortable with your agent using its existing calendar and workspace access to prepare meeting briefs. For sensitive meetings, specify the exact event and allowed sources, exclude email/docs when unnecessary, review the generated brief before sharing, and delete or secure locally stored outputs you do not want retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The README narrows user expectations to built-in calendar access, but later describes surfacing emails, documents, notes, and follow-up tracking, which implies broader data access and processing than initially disclosed. This is dangerous because users may authorize or deploy the skill under an incomplete understanding of what data it touches, increasing the risk of over-collection and privacy violations in a meeting-prep context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises access to calendar data plus related notes, emails, and documents, but does not present a prominent privacy warning or consent-oriented disclosure near the feature description. In this context, that omission is risky because meeting briefs can aggregate sensitive business and personal information, making accidental disclosure, over-sharing, or noncompliant data handling more likely.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal