Skillv1.1.0

ClawScan security

Granola Meeting Notes (MCP) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 3:11 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with its stated purpose (accessing Granola meeting notes via an MCP client); the only risks relate to normal OAuth token handling and how the user stores/runs the refresh script.
Guidance: This skill appears to do what it says: call Granola via the mcporter client and refresh OAuth tokens. Before installing: (1) ensure the mcporter binary you have is the legitimate client you expect; (2) create and store config/granola_oauth.json and config/mcporter.json in a secure location, set strict file permissions, and never commit them to version control; (3) inspect the refresh_token.sh script (it is small and readable) and consider removing or limiting its stdout output to avoid logging tokens on error; (4) only use the official token endpoint (don’t allow an untrusted token_endpoint value in the oauth config), and (5) if you schedule the script (cron), ensure the environment it runs in is isolated and monitored. These are operational cautions for any OAuth-based integration rather than indicators of malicious behavior.

Review Dimensions

Purpose & Capability: okName/description (Granola via MCP) matches the declared binaries (mcporter, curl, bash, python3) and the included refresh script. Requiring mcporter is expected for MCP calls; curl/python3/bash are only used for the OAuth refresh helper and are proportionate to the stated purpose.
Instruction Scope: noteSKILL.md limits runtime actions to calling mcporter and running an OAuth refresh script when auth fails. The refresh script reads and updates only the two declared config files (config/granola_oauth.json and config/mcporter.json) and POSTs to the token endpoint listed in the OAuth config. That is within scope, but the script prints full error responses to stdout (which could leak sensitive info into logs) and a mistaken or malicious token_endpoint value in the config would cause refresh_token to be sent to an arbitrary endpoint—so user trust in the config values and log handling is important.
Install Mechanism: okNo install spec is provided and no remote downloads occur; this is an instruction-only skill with a small local script. There is no evidence of additional install-time network fetches or archives being written.
Credentials: noteNo environment variables or unrelated credentials are requested. The skill requires two local config files that necessarily contain secrets (refresh_token, access_token, bearer header). This is appropriate for an OAuth-based integration, but it means the user must protect those files (permissions, not committing to VCS).
Persistence & Privilege: okalways:false and no changes to other skills or global agent settings. The script updates only its own declared config files. Optionally suggesting a cron job is normal but increases operational exposure if scheduled without safeguards.