Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meeting Autopilot
v1.0.0A comprehensive AI agent skill that handles every stage of the meeting lifecycle. Prepares you before every meeting with context, attendee backgrounds, and t...
⭐ 0· 299·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises calendar scanning, attendee history, recent email threads, related documents, sending follow-ups, and automatic triggers around events — all of which normally require explicit connectors or credentials (calendar, email, storage, contacts). Yet the skill declares no required environment variables, config paths, or install steps. That mismatch is unexplained and disproportionate to the stated purpose.
Instruction Scope
SKILL.md instructs the agent to act automatically (e.g., '30 minutes before any calendar event', 'automatic after every meeting'), to pull attendee relationships, emails, and docs, to capture live meeting input, and to draft/send follow-ups. These runtime instructions assume access to mailbox/calendar/storage and possibly audio input, but the skill gives no guidance on how those accesses are acquired or scoped.
Install Mechanism
No install spec and no code files (instruction-only). That reduces risk from arbitrary binaries or downloads. However, the lack of install does not resolve the permission/credential gaps noted above.
Credentials
The skill requests no environment variables or credentials while describing features that normally require multiple sensitive permissions (email send/receive, calendar read/write, document storage, contacts). This under-declaration is disproportionate and opaque — it should list required connectors and scopes.
Persistence & Privilege
always:false (no forced inclusion) and autonomous invocation is allowed by default. The skill says it will 'store' meeting summaries in the agent's memory and trigger automatically around calendar events. If the platform provides the agent with calendar/email access, that combination increases data exposure risk; the skill itself does not request persistent system-level privileges, but its intended behavior implies ongoing access to user data.
What to consider before installing
This skill promises deep access to your calendar, email, documents, contacts, and live meetings but doesn't declare what credentials or connectors it needs. Before installing: 1) Ask the publisher (or platform) for a precise list of integrations and the exact OAuth scopes/permissions the skill will use (calendar read/write, email send, mailbox read, drive/file access, contacts, microphone). 2) Require a privacy/security policy: where summaries are stored, retention period, who can read them, and how to delete data. 3) Confirm 'never sent without explicit confirmation' is enforced by the platform (and request an audit log of sends). 4) Test first with a dummy account/calendar with limited data and no sensitive mail; verify follow-ups are not auto-sent. 5) Prefer scoped, revocable tokens or platform-managed connectors rather than asking you to paste credentials. 6) If the publisher/source is unknown (no homepage) treat the skill as higher risk — consider rejecting until origin and required permissions are documented.Like a lobster shell, security has layers — review code before you run it.
action-itemsvk975xhnpj2194wzmg016nrt3kh82fwpglatestvk975xhnpj2194wzmg016nrt3kh82fwpgmeetingsvk975xhnpj2194wzmg016nrt3kh82fwpgnotesvk975xhnpj2194wzmg016nrt3kh82fwpgproductivityvk975xhnpj2194wzmg016nrt3kh82fwpgprofessionalsvk975xhnpj2194wzmg016nrt3kh82fwpg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.