Skillv1.0.0

ClawScan security

Meeting Notes Summarizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 22, 2026, 8:35 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (sending transcripts to the Anthropic API) matches its description, but registry metadata omits required credentials and runtime dependencies and there are small inconsistencies that warrant caution before installation.
Guidance: This skill appears to do what it says: it sends the meeting transcript you pipe in to the Anthropic API and returns a markdown summary. Before installing or running it: 1) be aware the entire transcript is sent to api.anthropic.com — do not forward sensitive or confidential meeting content unless you trust Anthropic and accept their data-handling and billing policies; 2) the registry metadata omitted required runtime items — SKILL.md and the script require ANTHROPIC_API_KEY and the script calls python3 in addition to bash and curl, so ensure those are available and the required env var is set; 3) the skill's source/homepage is unknown — prefer running the provided summarize.sh in a controlled environment (container or isolated VM) and inspect the script yourself; 4) ask the publisher to update the registry entry to declare the ANTHROPIC_API_KEY and python3 requirement and to provide a homepage or source repo for transparency. These mismatches explain the 'suspicious' rating even though the code itself is not overtly malicious.

Purpose & Capability: noteThe script implements a meeting-transcript -> structured summary flow using the Anthropic API, which is coherent with the skill's name and description. However the registry metadata declares no required env vars or binaries while the SKILL.md and script require ANTHROPIC_API_KEY, bash, curl and use python3 — a metadata/instruction mismatch.
Instruction Scope: okRuntime instructions and the script are narrowly scoped: they read stdin, forward the transcript to api.anthropic.com, and print the returned markdown. The script does not read other files, system credentials, or call unrelated endpoints.
Install Mechanism: okNo install spec is provided (instruction-only skill with an included script). Nothing is downloaded or installed by the skill itself.
Credentials: concernThe only required secret at runtime is an ANTHROPIC_API_KEY, which is proportionate to calling Anthropics. However the registry metadata fails to declare this primary credential, and the script also requires python3 (not listed in SKILL.md requirements), creating an information mismatch that could confuse users about what is needed and where secrets are used.
Persistence & Privilege: okalways:false and no special persistence or system-wide configuration changes. The script does not modify other skills or system settings.