Is ai-meeting-notes safe?

https://clawhub.ai/jeffjhunter/ai-meeting-notes

82
SAFE

AI Meeting Notes is a prompt-only productivity skill that converts pasted meeting notes into structured summaries with action items and to-do tracking. It contains no executable code, makes no network requests, and does not access sensitive files. The primary concern is its aggressive use of behavioral override language in the prompt (CRITICAL, MANDATORY, MUST, NEVER) to control agent response formatting, which scores it slightly lower on prompt injection but is used for benign UX purposes. The skill is well-bounded in scope and poses minimal security risk.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Aggressive response format override -20

The skill uses emphatic language ('CRITICAL', 'MANDATORY RULES', 'NEVER DO THIS', 'MUST') to force the agent into a specific response format. While this is done for UX consistency (single-message responses with specific sections), it represents a strong behavioral override that could conflict with user preferences or other system instructions. The block contains detailed step-by-step behavioral directives that reshape how the agent responds.

LOW Pre-flight checklist behavioral conditioning -7

The skill includes a 'Step 0: Pre-Flight Checklist' that instructs the agent to confirm internal behavioral constraints before responding. This is a soft prompt injection technique that conditions the agent to self-verify compliance with the skill's rules, though the rules themselves are benign (formatting requirements).

LOW Repeated instruction reinforcement pattern -5

The same formatting instructions are repeated multiple times throughout the document (response format section, mandatory rules table, ai_instructions block, Step 9). This repetition is a known technique to increase instruction adherence in LLMs. While used for benign purposes here, it demonstrates awareness of prompt engineering techniques that could be used for manipulation.

LOW Platform runtime reads sensitive files during install -10

During installation, the monitoring detected reads of .env, .aws/credentials, .profile, and .bashrc. Analysis indicates these are from the OpenClaw platform runtime (gateway lock file creation, jiti transpiler cache) rather than the skill itself, as the skill contains no executable code. However, this is noted for transparency.

LOW Implicit workspace file creation -15

The skill instructs the agent to create a meeting-notes/ directory and todo.md file in the user's workspace. While this is the stated purpose of the skill, it modifies the user's filesystem without per-operation confirmation. If a user already has a todo.md or meeting-notes/ directory, conflicts could arise.

INFO Skill scope is well-bounded -15

The skill's functionality is limited to text processing (parsing pasted notes), local file creation (meeting-notes/*.md, todo.md), and formatted output. It does not request network access, API calls, shell execution, or access to sensitive files. The attack surface is minimal for a prompt-only skill.