Display Name: ChatMerge - 智能多渠道聊天纪要助手

Security checks across malware telemetry and agentic risk

Overview

ChatMerge is a disclosed chat-summary assistant, but it asks for broad chat, meeting, automation, and third-party write authority that needs careful review before installation.

Install only if you are comfortable granting access to the relevant workspaces and connected business tools. Start with pasted text or one explicit channel, use least-privilege tokens, keep auto-create and auto-record disabled unless deliberately needed, and verify the schedule, destination, monitoring status, retention behavior, and stop/delete controls before enabling automation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (38)

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The documentation expands the skill from passive chat summarization into scheduled automation, proactive monitoring, and outbound notifications across platforms. That materially changes the trust boundary: a user expecting a summarizer may unknowingly enable persistent surveillance and message delivery behaviors that can leak sensitive discussions or create actions without clear ongoing consent.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: Automatically creating and updating Jira, Notion, GitHub, and calendar items goes well beyond summarization and introduces write access to external systems. If enabled without strict confirmation and scoping, the skill could create fraudulent tasks, leak confidential chat-derived data into third-party services, or alter operational workflows based on imperfect AI extraction.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: Voice/video integration with automatic meeting capture and transcription broadens the skill from reading chats to collecting spoken communications. That increases privacy and compliance risk substantially, especially because meeting content often contains more sensitive material and may be subject to consent, retention, and jurisdiction-specific recording laws.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The documentation instructs the skill to consume credentials from environment variables for multiple third-party systems, indicating broad access to external services. In the context of a summarization tool, this is dangerous because it normalizes high-privilege token use without clear scope restriction, secret handling guidance, or justification tied to least privilege.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Auto-recording meetings is a context-inappropriate and high-risk capability for a skill presented as a chat summarizer. It can silently capture sensitive conversations, create legal exposure under two-party/all-party consent rules, and significantly increase harm if recordings or transcripts are later mishandled or exfiltrated.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The changelog describes materially expanded capabilities—scheduled reports, real-time monitoring, automatic channel discovery, notifications, and external task creation—that exceed the simple read-and-summarize scope implied by the skill metadata. This is dangerous because users and reviewers may grant trust or permissions based on a narrower understanding, while the skill appears designed to perform ongoing surveillance and external side effects.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The v1.0 privacy/security claims say the skill only processes user-provided content and has no automatic platform connection, yet the later changelog introduces automatic channel discovery, direct platform reads, scheduling, and monitoring. This contradiction can mislead users about data access and collection behavior, undermining informed consent for potentially sensitive chat and meeting content.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The quickstart documents capabilities such as scheduled summaries, continuous monitoring, and automatic Jira task creation that materially exceed the stated read-and-summarize purpose of the skill. This is dangerous because users may grant broader trust and permissions than expected, enabling persistent data access and write-side effects in external systems under the guise of a summarization tool.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation states that scheduled summaries are automatically sent to external destinations like Slack or email, which goes beyond passive chat summarization and introduces outbound data transmission. This is risky because summarized chat content may contain sensitive information and could be forwarded to unintended recipients or systems without users appreciating that behavior from the skill description alone.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The statement that the skill 'will not store chat records' conflicts with features like persistent schedules and monitoring tasks, which necessarily require some retained state or configuration. Misleading privacy claims are dangerous because users may make trust decisions based on inaccurate assumptions about persistence, retention, and ongoing access.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The document advertises capabilities far beyond the stated skill purpose of reading chats and generating minutes, including monitoring, task orchestration, recommendations, and meeting integrations. This scope expansion is dangerous because it normalizes broader access and action permissions than users would reasonably expect from a summarization tool, increasing the chance of over-privileged deployment and misuse.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: Automatically creating Jira tickets, Notion tasks, GitHub issues, and calendar reminders goes well beyond minutes generation and introduces external side effects in third-party systems. This is dangerous because a user invoking a summarization skill may unintentionally trigger persistent actions, data propagation, and operational changes across connected services.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Real-time monitoring and urgent notifications are materially different from on-demand summarization and imply continuous inspection of channel contents. In this skill context, that increases privacy and surveillance risk because users may not expect ongoing observation from a tool described as generating minutes.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Automatic creation of external tickets, tasks, issues, and reminders is context-inappropriate for a minutes-generation skill and can produce immediate, irreversible side effects outside the chat system. This is especially dangerous because the described automation crosses trust boundaries into project management, code hosting, and calendar systems without any evidence of confirmation safeguards.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document describes automatic recording and transcription but omits any warning about privacy, consent, or participant notification obligations. That omission is dangerous because users may deploy the feature in ways that violate workplace policy or recording laws, especially when the skill is designed to operate automatically.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Scheduled reports, real-time monitoring, and automatic message reading are privacy-sensitive behaviors, but the changelog presents them as convenience features without corresponding user-facing warnings about continuous access, scope, or data handling. In a chat aggregation skill, that omission increases the risk of unnoticed surveillance or collection of sensitive workplace communications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Automatic task creation in Jira/Notion/GitHub and meeting transcription introduce external writes and handling of highly sensitive spoken content, yet the changelog gives no warning about data propagation, access control, or accidental disclosure. This can lead to sensitive chat or meeting data being copied into third-party systems without adequate user awareness or safeguards.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document strongly promotes automatic reading of messages from 20+ chat platforms but provides no user-facing notice about privacy, scope of access, consent, or sensitive-content handling. In a skill centered on aggregating chat data, this omission can cause users to over-share private or regulated communications without understanding the consequences.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The one-click auto-read workflow is presented as frictionless and highly desirable, but it omits any warning that retrieving messages may expose confidential channel content, personal data, or third-party communications to the agent. Because the skill is explicitly designed to ingest cross-platform chats, the lack of safeguards makes accidental privacy violations more likely.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The quickstart promotes daily automatic summaries sent to Slack without clearly warning that this creates an ongoing workflow with repeated access to chat data and recurring outbound transmission. In the context of a chat-minutes skill, that hidden persistence increases the risk of silent data leakage, oversharing, or operation after the user forgets it was enabled.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The real-time monitoring feature is presented as an immediate-notification convenience without prominently disclosing that monitoring may continue indefinitely until manually stopped. This is dangerous because users may unintentionally enable long-lived surveillance of channels, expanding the window for unauthorized observation, sensitive event capture, and unnoticed background activity.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation advertises automatic Jira task creation, calendar reminders, and progress tracking without an upfront warning about write actions to third-party systems. This is risky because a user may expect analysis only, while the skill can create records, trigger workflows, and spread chat-derived content into external tools, causing unintended operational and privacy consequences.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The quickstart explicitly encourages users to paste raw chat logs from multiple platforms, including OCR-derived text, but does not provide meaningful privacy safeguards or prominent warnings about exposing personal, confidential, or regulated data to the skill's processing environment. Although it notes users should have permission and claims sensitive data will be filtered, that can create a false sense of safety because automated filtering is never complete and may miss names, business secrets, or regulated content.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README encourages broad ingestion across 20+ chat platforms plus behavioral, sentiment, and efficiency analysis, but it does not place prominent consent, minimization, or participant-notice safeguards next to those claims. In a collaboration tool, this can normalize over-collection of private communications and analysis of employees or third parties without clear authorization boundaries, increasing privacy, compliance, and workplace surveillance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation promotes scheduled summaries, real-time monitoring, and automatic creation of Jira/calendar tasks as streamlined actions, but it does not give nearby warnings that these are persistent automations with external side effects. This can lead users to enable ongoing monitoring or create tasks/notifications in third-party systems without understanding the scope, duration, or blast radius of the automation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal