Cms Meeting Monitor

The skill's code and docs generally match its stated purpose (pulling meeting content and notifying), but there are inconsistencies in the declared requirements and an undeclared dependency/call pattern that merit caution before installing.

What to check before installing: - Confirm the API key requirement: SKILL.md and the Python scripts require XG_BIZ_API_KEY. The registry metadata you saw earlier omitted that — verify the publisher expects you to provide this key and understand where it is stored. - Verify and install the cms-meeting-materials dependency: monitor.py calls a trigger-pull.py in a 'cms-meeting-materials' sibling path. Ensure that dependency is present, legitimate, and reviewed (inspect its trigger-pull.py and stop-pull.py). If the dependency is missing the skill will fail or attempt to run unexpected code if malicious files are placed at that path. - Inspect trigger-pull.py / stop-pull.py: because monitor.py runs them via subprocess, those scripts determine what network/IO happens during a pull. Review them for network endpoints, credential use, or data exfiltration before granting the API key. - Keep file roots limited: by default the skill writes to ~/.openclaw; avoid setting CMS_MEETING_MONITOR_ROOT to system or sensitive paths. Run the skill under a restricted user account if possible. - Treat the API key as sensitive: store it in a secrets manager or guarded env, and rotate if you test in an untrusted environment. - Ask the publisher to update registry metadata: required env vars (XG_BIZ_API_KEY) and the dependency on cms-meeting-materials should be declared in the skill registry entry to remove the inconsistency. Given these issues (metadata mismatch and undeclared filesystem dependency) the skill appears coherent with its purpose but needs those clarifications before you should deploy it broadly.