Firefly AI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: firefly Version: 1.0.0 The skill bundle provides a Node.js client (`scripts/firefly.cjs`) to interact with the Firefly AI GraphQL API, as described in `SKILL.md` and `references/api.md`. The script correctly uses environment variables for API keys, parameterizes user inputs for GraphQL queries to prevent injection, and only makes network requests to the specified `api.fireflies.ai` endpoint. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection designed to subvert the agent's intended behavior. The instructions in `SKILL.md` are aligned with the skill's stated purpose and do not contain malicious directives.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with this API key can retrieve meeting information available to that Fireflies.ai account, including potentially sensitive transcripts and summaries.
The script requires a Fireflies.ai API key and uses it as a bearer token to access the user's Fireflies account data.
const API_KEY = process.env.FIREFLY_API_KEY; ... 'Authorization': `Bearer ${API_KEY}`Use a dedicated or least-privileged Fireflies API key if available, keep it only in trusted environment configuration, and revoke it when no longer needed.
Custom queries could expose more meeting metadata than the user intended, such as participant details or media links, though this remains aligned with the Fireflies.ai integration purpose.
The skill supports a raw GraphQL path in addition to the safer predefined list, transcript, summary, and search commands, which can retrieve broader meeting fields if used.
Build GraphQL queries directly against `https://api.fireflies.ai/graphql`. See `references/api.md` for full schema and available fields.
Prefer the predefined commands when possible, request only the fields needed, and confirm before retrieving or saving full transcripts or expanded attendee/media details.