ClawHub

meeting-autopilot

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it processes meeting transcripts with Anthropic or OpenAI and saves extracted meeting history locally, with those behaviors disclosed.

Install only if you are comfortable sending meeting transcripts or extracted meeting details to your configured Anthropic/OpenAI endpoint. Avoid using it for meetings your organization forbids sending to external AI services, review generated drafts before use, and use --no-history or delete ~/.meeting-autopilot/history/ for sensitive meetings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script transmits meeting-derived content, participant names, and extracted action items to third-party LLM APIs using API keys from environment variables. For a meeting-transcript skill, that can expose sensitive business discussions, decisions, and operational tasks outside the local environment, and the script provides no explicit consent gate or privacy control at the point of transmission.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example triggers are very broad and overlap with ordinary assistant requests like 'Extract action items from my meeting' or 'Process this meeting transcript.' In agent ecosystems that auto-route skills from natural-language descriptions, this can cause the skill to activate unexpectedly and send sensitive meeting transcripts to an external LLM API, increasing the risk of unintended data disclosure.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The activation phrases are broad and overlap with ordinary meeting-related requests, increasing the chance the skill triggers when a user did not intend transcript processing or external API use. In this skill, unintended activation is more dangerous because it can lead to local file reads, shell execution, data persistence, and transmission of transcript contents to external LLM providers.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill requests transcript files and uses network access for Anthropic/OpenAI API calls, but the user-facing description does not prominently warn that transcript contents may be transmitted to third-party LLM services. Meeting transcripts frequently contain confidential internal discussions, personal data, or regulated information, so lack of informed consent creates significant privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Notes section mentions that items are automatically saved to ~/.meeting-autopilot/history, but this behavior is not clearly disclosed as a primary data-handling characteristic. Automatic persistence of meeting-derived data can expose sensitive operational details to other local users, backups, or forensic recovery, especially on shared or managed systems.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends full meeting transcript content to third-party LLM APIs, but the network call path does not enforce an explicit consent gate, redaction step, or contextual warning before transmission. In a meeting-automation skill, transcripts often contain sensitive business, personal, legal, or credential-like data, so silent exfiltration to external processors is a real confidentiality risk even if it is part of intended functionality.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code sends full meeting context to Anthropic or OpenAI without any user-facing warning in this script, even though meeting transcripts often contain confidential internal information and PII. Silent remote processing is dangerous because users may reasonably expect transcript handling to remain local, especially for an operational meeting automation tool.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends transcript-derived meeting content to an external LLM service through extract-items.sh, but this top-level entrypoint does not prominently warn users that potentially sensitive meeting data will leave the local environment. Because meeting transcripts often contain confidential business, HR, legal, or customer information, users may unknowingly disclose sensitive data to a third-party processor.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script stores extracted meeting data to a cross-meeting history file by default, which creates local persistence of transcript-derived operational data without a prominent warning or explicit opt-in. On shared machines, CI runners, or managed workstations, this can expose sensitive decisions, action items, and meeting metadata to other users or to later unintended access.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This prompt is designed to process raw meeting transcripts, which commonly contain sensitive business information, personal data, and internal decisions, but it includes no instruction to warn users, minimize sensitive data handling, or apply privacy safeguards. In a skill explicitly built to transform transcripts into operational outputs, that omission increases the risk of unintended exposure, over-collection, and downstream propagation of confidential content.

Ssd 1

Medium
Confidence
95% confidence
Finding
Untrusted transcript text is embedded directly into the LLM prompt, so a malicious participant can place prompt-injection instructions inside the meeting content that may alter extraction behavior, suppress items, fabricate outputs, or cause the model to ignore the intended extraction/classification rules. Because this skill is specifically designed to operationalize transcript content into tickets, emails, and action items, manipulated outputs can propagate into downstream business workflows.

External Transmission

Medium
Category
Data Exfiltration
Content
}')

    local response
    response=$(printf '%s' "$request_body" | curl -sS \
      "${anthropic_base%/}/v1/messages" \
      -H "Content-Type: application/json" \
      -H "x-api-key: ${ANTHROPIC_API_KEY}" \
Confidence
89% confidence
Finding
curl -sS \ "${anthropic_base%/}/v1/messages" \ -H "Content-Type: application/json" \ -H "x-api-key: ${ANTHROPIC_API_KEY}" \ -H "anthropic-version: 2023-06-01" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
}')

    local response
    response=$(printf '%s' "$request_body" | curl -sS \
      "${openai_base%/}/v1/chat/completions" \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${OPENAI_API_KEY}" \
Confidence
89% confidence
Finding
curl -sS \ "${openai_base%/}/v1/chat/completions" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${OPENAI_API_KEY}" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
}')

    local response
    response=$(printf '%s' "$request_body" | curl -sS \
      "${anthropic_base%/}/v1/messages" \
      -H "Content-Type: application/json" \
      -H "x-api-key: ${ANTHROPIC_API_KEY}" \
Confidence
93% confidence
Finding
curl -sS \ "${anthropic_base%/}/v1/messages" \ -H "Content-Type: application/json" \ -H "x-api-key: ${ANTHROPIC_API_KEY}" \ -H "anthropic-version: 2023-06-01" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
}')

    local response
    response=$(printf '%s' "$request_body" | curl -sS \
      "${openai_base%/}/v1/chat/completions" \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${OPENAI_API_KEY}" \
Confidence
93% confidence
Finding
curl -sS \ "${openai_base%/}/v1/chat/completions" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${OPENAI_API_KEY}" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal