Skill Vexa
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its meeting-bot purpose, but its optional public webhook can wake the agent with webhook-supplied content and update memory automatically, so it needs review before enabling.
The core Vexa meeting-bot functionality appears purpose-aligned, but be careful with privacy and automation. Keep the API key in an env file, get consent before sending bots to meetings, and do not enable the public webhook unless you can protect it with authentication or signed verification. If you use webhooks, review generated reports and memory/entity updates before trusting them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A reachable webhook endpoint could cause agent activity whenever it receives a matching request, and the artifacts do not show a clear origin-authentication boundary.
The documented setup exposes a public webhook that immediately wakes an agent. The provided mapping does not show a signature, shared token, or sender-authentication requirement.
"action": "agent", "wakeMode": "now" ... "The webhook cannot be set without a public URL"
Enable the webhook only behind strong authentication or signed webhook verification, and keep manual report creation as the safer default unless the hook is protected.
A crafted webhook payload could influence what the agent does during an automatic report workflow.
Webhook-controlled payload content is inserted directly into the message returned to the agent. If payload fields contain instructions, they may be interpreted as task context rather than untrusted data.
Raw payload (for reference):
${JSON.stringify(p, null, 2)}Do not include raw webhook payloads in agent prompts. Extract only validated fields, label them as untrusted data, and ignore any instruction-like content from webhook bodies.
Malformed or malicious webhook fields could lead the agent to run a command for the wrong meeting or with unexpected arguments.
The command text is assembled from webhook-derived platform and meeting ID values without visible validation or quoting before being sent as an agent instruction.
const reportCmd = `node skills/vexa/scripts/vexa.mjs report --platform ${platform} --native_meeting_id ${nativeMeetingId}`; ... `1. Run: ${reportCmd}`Validate platform against an allowlist, validate meeting IDs with strict regexes, and pass structured arguments instead of generating a shell-style command from webhook data.
Untrusted or incorrect webhook content could be turned into persistent memory that affects later agent behavior.
The automatic webhook task asks the agent to update persistent memory/entity files while also supplying raw webhook content as context.
3. Update/create entity files under memory/entities/ ... Raw payload (for reference):
Require human review before updating memory/entities from webhook-triggered reports, and store webhook-created notes with provenance and limited trust.
Anyone with the configured key may be able to use the Vexa account to manage bots and access meeting transcripts.
The skill needs a Vexa API key to start bots and retrieve transcripts, and it gives some secure handling guidance. This is purpose-aligned but grants access to sensitive meeting data.
Required: `VEXA_API_KEY` ... Do not ask users to paste API keys in chat.
Use a least-privilege Vexa key if available, keep it out of chat, rotate it if exposed, and ensure meeting participants consent to transcription/recording.
Using the skill runs local Node scripts from the skill package.
The CLI runs bundled helper scripts through Node. This is expected for the skill's local CLI workflow and does not itself show arbitrary shell execution.
spawnSync(process.execPath, [onboardScript, ...forwardOnboardingArgs(args)], { stdio: "inherit", env: process.env })Review script changes before updating the skill, and avoid running webhook-generated commands without validation.