Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meeting Assistant
v2.0.0Generate meeting summaries, extract action items with deadlines, coordinate schedules, and manage meeting templates and reminders.
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (meeting summaries, action items, scheduling/templates) align with the code's functionality (parsing content, generating minutes, storing meetings). However the SKILL.md advertises scheduling/reminder and calendar integration as features/todos while the code contains no calendar API integration or OS scheduling logic. Also SKILL.md documents storage under ~/.openclaw/workspace/meeting-assistant/meetings.json but the code reads/writes a meetings.json next to the script (Path(__file__).parent). These mismatches are implementation inconsistencies but not clearly malicious.
Instruction Scope
SKILL.md asks for file read/write and scheduled tasks (for reminders). The instructions and examples focus on parsing meeting text and storing notes. The runtime instructions do not direct the agent to read arbitrary system files or environment variables. But SKILL.md implies persistent reminders and external calendar API use; the provided code does not implement external API calls or OS-level scheduling—so the actual runtime behavior is narrower than the doc claims.
Install Mechanism
No install spec; this is instruction-only with an included Python file. There is no network download or package install specified. Low install risk, but note that the presence of a code file means an agent/runtime may choose to execute it—verify platform policy for executing bundled scripts.
Credentials
The skill declares no required environment variables, credentials, or unusual config paths. The code only reads/writes local JSON files (meetings.json, and references tasks.json which isn't present). No credentials or external endpoints are requested.
Persistence & Privilege
always is false and the skill does not request elevated privileges or to modify other skills' configs. It writes its own data files in its directory (or as implemented by the runtime). There is no evidence the skill registers itself for persistent system-wide execution.
What to consider before installing
Things to check before installing:
- Confirm how your agent platform executes bundled code files: this package includes meeting_assistant.py but no install instructions—know whether the agent will execute that Python file automatically.
- Verify where meeting data will be stored. SKILL.md points to ~/.openclaw/workspace/meeting-assistant/meetings.json but the code writes to the script's directory (Path(__file__).parent/meetings.json). Make sure files are stored in a location you control and that no sensitive directories will be used.
- Calendar integration and reminder scheduling are listed as planned/todo but are not implemented in the code. If you expect calendar/reminder behavior, require the author to document which calendar APIs will be used and which environment variables/credentials will be requested.
- tasks.json is referenced but not included; ask the author about expected data files and migration behavior.
- Because the skill asks for file read/write (and would need scheduling to send reminders), minimize its filesystem permissions and run it in an isolated workspace until you confirm behavior. If you need calendar/email reminders, prefer a version that explicitly declares and justifies the exact credentials it will require.
- If you are not comfortable auditing Python code yourself, request the author to explain the execution model and provide a reproducible install/run example.Like a lobster shell, security has layers — review code before you run it.
latestvk9746w1qd1591j1xmyw7c0nf6n83trff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.