Create secure videoconference
PassAudited by ClawScan on May 1, 2026.
Overview
This looks like a straightforward Meetling link generator; it does not use credentials or send messages itself, but users should review generated recipients, link text, and publisher provenance.
Before installing, confirm you trust the publisher, keep contacts.json trusted and minimal, and review the generated link, message, and recipients before sending invites. Avoid sensitive meeting subjects in the title or request text if you do not want them reflected in the URL.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If another tool automatically acts on the share payload, invitations could be sent to the resolved contacts.
The skill outputs a ready-to-use share payload with resolved recipient IDs. This is purpose-aligned for video invites and the code does not send it itself, but it can feed a downstream sending path.
share: { message, recipients: resolved.map(r => ({ channel: r.channel, id: r.id })), recipients_unresolved: unresolved }Review the generated message and recipient list before allowing a messaging or sharing tool to send it.
A wrong or outdated contacts.json could route an invitation payload to the wrong contact ID or expose contact identifiers in output.
The skill reads a persistent local contacts file to resolve invite recipients. The path is fixed and size-limited, but stale or tampered contact data could affect who appears in the share payload.
const p = path.resolve(process.cwd(), "contacts.json"); ... const raw = fs.readFileSync(p, "utf8"); const obj = JSON.parse(raw);
Keep contacts.json in a trusted workspace, keep it minimal, and verify resolved and unresolved recipients before sending.
Sensitive meeting subjects or participant names could be visible in the link itself, and therefore to recipients, the provider, or logs that store URLs.
The generated Meetling URL slug can be derived from the title, free-form request text, or participant names, so meeting context may become part of the shared URL path.
const slug = buildRoomSlug({ title: title || text, participants: participantsInput }); ... return `${MEETLING_BASE}/m/${slug}`;Use neutral meeting titles or request text when confidentiality matters, and prefer random room names if available.
It may be harder to verify the publisher, track updates, or compare the package to an upstream source.
The registry metadata does not provide a source repository or homepage, which limits provenance verification even though the included code is small and dependency-free.
Source: unknown Homepage: none
Install only if you trust the publisher or have reviewed the included files; prefer packages with clear source provenance.