Back to skill

Security audit

会议纪要助手

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a simple local meeting-notes formatter, with some documented but missing sharing features users should verify before using.

Use the included extract_minutes.py script only for local formatting. Treat the documented todo and push commands as unimplemented until those scripts are provided and reviewed, and do not send meeting minutes to enterprise chat channels unless you have confirmed the destination and permission to share the content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises pushing meeting minutes to external services like WeCom, Feishu, and DingTalk without warning users that meeting notes may contain sensitive business, personal, or confidential information. In the context of meeting minutes, this is more dangerous because the content commonly includes internal decisions, attendee lists, action items, and deadlines, so undocumented data sharing can cause privacy or confidentiality breaches.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.