Meeting Assistant

Security checks across malware telemetry and agentic risk

Overview

This meeting assistant is mostly purpose-aligned, but it needs review because it records and analyzes sensitive meetings by default, exposes live-looking credentials, persists meeting artifacts, and can post or capture more broadly than users may expect.

Review before installing. Only use this with explicit participant consent, replace and rotate all bundled tokens/secrets, restrict local service ports, disable auto recording/transcription unless needed, define retention/deletion rules for recordings and transcripts, and avoid medical-mode live answers unless a qualified human reviews them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (49)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: log_file = open(DAEMON_LOG, "w", encoding="utf-8") try: proc = subprocess.Popen( cmd, stdout=log_file, stderr=subprocess.STDOUT,
Confidence: 80% confidence
Finding: proc = subprocess.Popen( cmd, stdout=log_file, stderr=subprocess.STDOUT, start_new_session=True, cwd=str(SKI

subprocess module call

Medium

Category: Dangerous Code Execution
Content: bot_script = Path(__file__).parent / "meeting_bot.py" cmd = [python, str(bot_script)] + list(args) result = subprocess.run( cmd, capture_output=True, text=True,
Confidence: 88% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=timeout, cwd=str(SKILL_DIR), env={**os.environ}, )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: $graphics.Dispose() $bitmap.Dispose() """ subprocess.run( [powershell, "-Command", ps_script], capture_output=True, timeout=15 )
Confidence: 71% confidence
Finding: subprocess.run( [powershell, "-Command", ps_script], capture_output=True, timeout=15 )

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill exposes substantial capabilities including shell, network, environment access, and file read/write, yet the manifest shown in SKILL.md does not declare permissions or limits. This creates a dangerous mismatch: an agent may invoke powerful actions without clear review, consent, or policy enforcement, especially for joining meetings, handling credentials, and persisting sensitive data.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The documentation explicitly states that messages from other participants that do not address the bot are silently logged for context. In a meeting assistant context, this expands collection beyond direct user interaction and can capture sensitive business, personal, or medical content without clear necessity or consent, making the context especially dangerous.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill documents retaining full transcripts, screenshots, bot outputs, and analysis logs under session directories after the meeting. For a real-time meeting assistant, this broad retention materially increases exposure of sensitive meeting content and creates a larger breach surface if the host system or logs are accessed by unauthorized parties.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: The documentation exposes a live hardcoded API key in plaintext, which is a credential disclosure vulnerability rather than merely an informational example. In this skill’s context, the API controls autonomous meeting bots, transcripts, recordings, chat, screen share, and speech, so anyone with access to the docs can potentially join meetings, retrieve sensitive conversation data, or interact in meetings as the bot.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The troubleshooting guide exposes and instructs use of privileged admin credentials (`openclaw-meeting-bot`) and admin endpoints that are not required for ordinary end-user meeting assistance. In a skill that autonomously joins meetings and handles sensitive communications, documenting privileged control paths increases the chance of unauthorized token creation, user enumeration, and broader service compromise if the docs are accessed by untrusted users.

Context-Inappropriate Capability

Low

Confidence: 88% confidence
Finding: The note recommending use of a `pc_control` screenshot tool expands the operational scope from in-meeting assistance to host-level screen capture, which can access data far beyond the meeting itself. In the context of a meeting bot used for medical consultations and remote communications, this creates elevated privacy and surveillance risk because host screenshots may include unrelated applications, credentials, or protected health information.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The guide expands the skill from passive meeting assistance into direct desktop control via pc-control, including hotkeys for mute, camera, screen sharing, and chat. In a meeting assistant—especially one used in medical contexts—this materially increases the attack surface because the agent can affect the user's live session and potentially trigger privacy-impacting actions like screen sharing without clear authorization boundaries.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The optional Zoom and Graph API integrations broaden access to participants, recordings, captions, transcripts, chat history, and calendar-linked meeting data. In a meeting/medical-assistant context, these remote data sources can expose highly sensitive information far beyond the live session, creating significant privacy and credential-abuse risk if not tightly scoped and disclosed.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: In medical mode, the bot explicitly offers to answer participant questions immediately in chat and uses broad medical keywords to trigger responses. That creates a real safety risk because it can deliver unverified medical guidance in a live consultation context, where participants may treat the bot's output as clinical advice.

Context-Inappropriate Capability

Low

Confidence: 91% confidence
Finding: The bot responds not only to direct mentions but also to any message containing a question mark, command-like prefix, or certain keywords. In a group meeting, that broad trigger logic can cause unsolicited or contextually wrong responses, increasing the chance of misinformation, disruption, or disclosure of inferred context to unintended recipients.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly describes a bot that joins live meetings, captures audio and chat, performs transcription, and stores session data, but it provides no warning about participant consent, legal notice requirements, or privacy obligations. In the context of a meeting assistant—especially one used in medical consultations—silent recording and transcription can expose highly sensitive personal, business, or health information and create significant compliance and unauthorized-surveillance risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation states that WAV files are recorded per session and that a recordings directory stores audio, screenshots, and transcripts, yet it does not specify retention, deletion, or sensitive-data handling requirements. Because this skill is designed to collect and persist meeting artifacts, the absence of guidance on storage security and lifecycle management increases the risk of long-term exposure of confidential or regulated data.

Vague Triggers

High

Confidence: 96% confidence
Finding: The trigger rules are overly broad: ordinary chat containing common terms like "AI", question marks, polite prefixes, or medical keywords can activate the bot unintentionally. In a live meeting this can cause unauthorized responses, disclosure of internal context into the meeting chat, and disruption or manipulation by any participant who can craft triggering messages.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The description says the bot performs speech-to-text and vision analysis via Claude AI, but it does not clearly warn users that meeting audio, screenshots, and chat content may be transmitted to an external AI service. In meeting and medical contexts, that omission undermines informed consent and can lead to sensitive data exposure to third-party processors.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The configuration enables both automatic transcription and automatic recording by default for a bot that autonomously joins remote meetings. In this context, that creates a meaningful privacy and consent risk because sensitive business, personal, or medical conversations may be captured without explicit per-meeting activation or participant approval.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly describes a bot that joins meetings, captures audio and chat, performs transcription, and allows in-meeting interaction, but provides no warning about participant consent, privacy expectations, or jurisdiction-specific recording requirements. In a meeting-assistant skill, this omission is especially risky because the tool is designed for live communications that often include sensitive business, personal, or medical information, making covert or non-compliant monitoring more likely.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The project structure documents a recordings directory that stores session artifacts such as audio, screenshots, and transcripts, yet gives no retention, access-control, or sensitive-data-handling guidance. Because this skill processes meeting content and may be used in doctor-patient communication, undocumented storage of transcripts and recordings materially increases the risk of privacy breaches, unauthorized access, and regulatory non-compliance.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Silently logging participant messages without a user-facing privacy warning undermines informed consent and can expose private discussion content to the assistant's analysis pipeline. This is particularly concerning because the bot participates autonomously in live meetings where other attendees may not expect passive collection of their chat.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The analysis loop describes transcript fetching and screenshot capture attempts but does not pair those capabilities with explicit privacy warnings or consent expectations. In meeting and medical-consultation scenarios, covert or insufficiently disclosed capture of spoken and visual content can expose highly sensitive information.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The architecture explicitly describes capturing participant microphone audio, transcribing it, storing transcript segments, and relaying analysis into meeting chat, but it does not mention any user-facing consent, disclosure, or privacy controls. In a meeting-assistant skill, this omission is dangerous because the system operates in live communications contexts that may contain sensitive business, personal, or medical information, creating legal, privacy, and trust risks if recording/transcription occurs without informed participant consent.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The setup guide contains what appear to be live secrets: an admin API token creation flow, a current user API token, and elsewhere embedded service credentials such as the Zoom client secret. Exposing secrets in documentation for a meeting bot is dangerous because anyone with access to the repo or docs can impersonate the bot, access admin endpoints, or abuse connected services and meeting infrastructure.

Missing User Warnings

High

Confidence: 100% confidence
Finding: The documentation contains live-looking API secrets and admin tokens directly in example commands, including a fixed admin key and a user API key. Exposed secrets can be copied from the repository or generated artifacts and used immediately to access administrative endpoints, create tokens, query meetings, or manipulate bots without further exploitation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal