Ghostmeet
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Ghostmeet’s instructions match its meeting-transcription purpose, but installing it requires external Docker and Chrome-extension code and it handles sensitive meeting transcripts.
Install only if you are comfortable running the external Ghostmeet backend and Chrome extension. Audit or pin the repository first, protect the Anthropic API key, confirm meeting participants are comfortable with transcription, and avoid sending sensitive transcripts for AI summary unless that is acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed backend or extension could access meeting audio or transcripts, so the safety of those external files matters.
The setup pulls and runs external backend and extension code that is not part of the reviewed skill artifact and is not pinned to a commit.
git clone https://github.com/Higangssh/ghostmeet.git ... docker compose up -d ... Chrome Extension must be installed in developer mode from `extension/` folder.
Review or pin the Ghostmeet repository before installing, audit the Chrome extension permissions, and run it only in an environment you trust.
A local Ghostmeet service may remain available on your machine until you stop it.
The backend is started in detached mode, so it can continue running after the immediate chat task is complete.
docker compose up -d
Stop the backend when finished, for example with Docker Compose from the Ghostmeet directory, and disable or remove the browser extension when not in use.
If the key is mishandled, someone else could use your Anthropic account or incur API costs.
Summary generation uses an Anthropic API credential, which is expected for the feature but still needs normal secret-handling care.
`GHOSTMEET_ANTHROPIC_KEY` — required for AI summary generation.
Use a dedicated API key if possible, keep the `.env` file private, monitor usage, and revoke the key if you no longer need it.
Private meeting details may be displayed in the current chat or used to answer later questions about sessions.
The skill can retrieve stored meeting transcripts, which are sensitive contextual records of private conversations.
Fetch transcripts → retrieve full text from a session
Ask for specific sessions when possible, avoid recording highly sensitive meetings unless appropriate, and delete old transcripts according to your privacy needs.
Meeting transcript content leaves the local machine when AI summaries are generated.
The artifact clearly discloses that generating summaries sends transcript text to an external AI provider.
Summaries use Anthropic API — when you click Summarize, transcript text is sent to Claude API.
Generate summaries only with participant consent and only for meetings whose contents you are comfortable sending to the configured AI provider.