Granola Meeting Notes (MCP)
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Granola meeting-notes connector, with expected but important access to private meeting content and OAuth tokens.
Install this only if you want the agent to access your Granola meeting notes and transcripts. Protect the OAuth config files, verify the Granola token endpoint, and enable the optional cron refresh only if you are comfortable with background token maintenance.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to these config files or the refresh flow could potentially access the user's Granola meeting notes.
The helper reads a local refresh token and client ID, sends them to the configured OAuth token endpoint, and updates local bearer-token configuration.
RESPONSE=$(curl -s -X POST "$TOKEN_ENDPOINT" ... -d "grant_type=refresh_token&refresh_token=${REFRESH_TOKEN}&client_id=${CLIENT_ID}")Use only with the intended Granola account, keep the config files private, and verify the token endpoint remains the official Granola HTTPS endpoint.
Private meeting notes and transcripts may be brought into the agent conversation when the skill is used.
The skill routes requests through an MCP connection and can retrieve full meeting details and verbatim transcripts.
Meeting notes AI connected via `mcporter call granola.<tool>` ... `granola.get_meeting_transcript meeting_id=<uuid>`
Use the skill only in trusted workspaces and avoid requesting transcripts that contain information you do not want exposed in the current chat context.
If enabled, a scheduled task would continue refreshing access tokens outside an active user request.
The documentation suggests optional background persistence for token refresh, though it is disclosed and user-directed.
(Optional) Set up a cron job to run `scripts/refresh_token.sh` periodically, since OAuth tokens expire every ~6 hours
Only configure the cron job if you need it, document where it is installed, and remove it when you no longer use the skill.
Users have less external context for verifying who maintains the skill or whether the script matches an upstream project.
The registry metadata does not provide an upstream source or homepage for independent provenance checks.
Source: unknown; Homepage: none
Review the included SKILL.md and refresh_token.sh before installing, and prefer a version with a verifiable source if available.