Skillv1.0.0

ClawScan security

Tencent Meeting Mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 14, 2026, 2:29 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement Tencent Meeting MCP functionality, but its runtime instructions and setup script require a secret and perform an npm install/configure step that the registry metadata does not declare — this mismatch warrants caution.
Guidance: What to consider before installing: 1) The skill's files and README require a TENCENT_MEETING_TOKEN but the registry metadata does not declare it — expect to supply that secret and be explicit where it comes from. 2) setup.sh will install mcporter globally via npm if not present and will write a mcporter config that includes your token in request headers; review setup.sh and the mcporter tool before running. 3) Confirm you trust the endpoint https://mcp.meeting.tencent.com and the source of the token (visit the official Tencent meeting portal or your org admin). 4) If you need tighter control, run the setup steps manually (inspect and run the npm install and mcporter config commands yourself) instead of running the script as-is. 5) Additional information that would raise confidence: a verified homepage/owner, published provenance for mcporter, or registry metadata updated to declare TENCENT_MEETING_TOKEN as a required credential.

Review Dimensions

Purpose & Capability: noteName, description, and API references match a Tencent Meeting MCP integration and the endpoints referenced (https://mcp.meeting.tencent.com/...) are coherent with that purpose. However, the skill's metadata declares no required environment variables while the documentation and included setup.sh explicitly require a TENCENT_MEETING_TOKEN — an inconsistency.
Instruction Scope: concernSKILL.md instructs the agent to run setup.sh, use mcporter commands, compute timestamps via system commands (e.g., date), and rely on an environment token. The instructions legitimately target Tencent Meeting APIs, but they also require executing shell commands and a setup script that installs/configures tooling — which increases the runtime surface. The skill also mandates use of system date commands (explicit) rather than leaving time handling to higher-level logic.
Install Mechanism: concernThere is no formal install spec in the registry, but the included setup.sh will install mcporter via 'npm install -g mcporter' if mcporter is absent. That means a global npm package will be installed and mcporter configuration will be written. An implicit runtime installer in a supplied script is riskier than a declared, reviewed install step.
Credentials: concernThe skill requires a TENCENT_MEETING_TOKEN to authenticate to the MCP endpoint (used in mcporter config headers). Requesting a single service token is reasonable for this integration, but the token requirement is not declared in the registry metadata (required env vars list is empty). The setup script will fail/exit if the token is missing, so users may be surprised. The token will be embedded into mcporter config headers (persistence).
Persistence & Privilege: notealways is false and autonomous invocation is allowed (platform default). setup.sh writes a project-scoped mcporter config (adds the MCP endpoint and headers), which is normal for a tool integration but does modify local tooling configuration and persists the token in mcporter's config. The skill does not request system-wide privileges or modify other skills.