Skillv1.0.3

ClawScan security

Timeless.day Meeting Notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 5:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requested credential (TIMELESS_ACCESS_TOKEN) match its stated purpose (managing Timeless meetings and capturing podcast/YouTube media) and contain no disproportionate or unrelated requirements.
Guidance: This skill appears to do what it says: it needs your Timeless access token to read and manage meetings and to upload recordings. Before installing, consider: (1) TOKEN SCOPE — treat TIMELESS_ACCESS_TOKEN as sensitive: it gives the skill access to your account data and can upload media on your behalf; use a token with the minimum required scope if Timeless supports that. (2) EXTERNAL DOWNLOADS — the scripts download podcast RSS feeds and YouTube videos to your machine before uploading; avoid running those scripts on machines with sensitive files or where untrusted media might be problematic. (3) REVIEW & SANDBOX — if you don’t fully trust the skill source, review the three included scripts (podcast.sh, youtube.sh, upload.sh) yourself and run them in a sandboxed environment. (4) FIX TYPOS — the docs contain minor variable-name inconsistencies (TIMELESS_TOKEN vs TIMELESS_ACCESS_TOKEN); ensure you supply the correct variable when configuring. If you need the skill to auto-run, verify policies and token permissions first.

Review Dimensions

Purpose & Capability: okThe skill is about interacting with Timeless (list meetings/rooms, fetch transcripts, upload recordings, capture podcasts/YouTube). Required binaries (curl, node, optional yt-dlp) and the single required env var (TIMELESS_ACCESS_TOKEN) are consistent with those tasks. The included scripts implement expected flows (download media, obtain presigned upload URL, upload and trigger processing).
Instruction Scope: noteRuntime instructions and scripts stay within the stated domain: they call my.timeless.day endpoints, use presigned storage URLs (storage.googleapis.com) for file upload, fetch podcast RSS/itunes and YouTube content for capture. Two small documentation inconsistencies: some examples in api-reference.md use TIMELESS_TOKEN instead of TIMELESS_ACCESS_TOKEN, and metadata versioning in SKILL.md differs from registry version; these are likely typos but should be corrected. Otherwise there is no instruction to read unrelated local files or network endpoints beyond those required for media capture and Timeless API access.
Install Mechanism: okThis is instruction-only (no install spec). No downloads from untrusted URLs or archive extraction are present. Scripts are included in the skill bundle and use system binaries (curl/node/yt-dlp) already expected for the functionality.
Credentials: noteThe skill requests a single credential (TIMELESS_ACCESS_TOKEN), which is appropriate for accessing a Timeless account. Be aware this token grants access to the user's Timeless data (meetings, transcripts, recordings) and the ability to upload new media. YTDLP_PATH is supported as an optional override but is not required.
Persistence & Privilege: okThe skill is not set to always:true and is user-invocable; it does not request elevated or permanent platform privileges. It does not modify other skills or system-wide agent configuration.