meeting-prep
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s goal is understandable, but it asks for broad Google Calendar and GitHub credentials and recurring automation without tight scope declarations.
Use this only if you are comfortable granting calendar and repository access. Prefer read-only Calendar scopes and a fine-grained GitHub token limited to needed repositories, protect the local credential files, and enable scheduled checks only after confirming the calendars, repos, and summary destination.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token or agent behavior is misused, it could expose or affect calendars and private repositories beyond the requested summaries.
The stated workflows read upcoming meetings and commit history, but these credentials are broad and can exceed that read-only purpose.
Authorize with scopes: `https://www.googleapis.com/auth/calendar` ... Create a classic Personal Access Token with `repo` scope. Store at `credentials/github_token`.
Use the narrowest available scopes, such as read-only Calendar access and a fine-grained GitHub token limited to selected repositories, and declare these credential requirements clearly.
A misconfigured organization or token could allow the agent to enumerate or summarize more repositories than intended.
The skill documents raw API calls using bearer tokens. This is purpose-aligned for commit summaries, but users must ensure the organization and repository targets are intentional.
curl -s -H "Authorization: Bearer $TOKEN" "https://api.github.com/orgs/ORG_NAME/repos?per_page=50&sort=pushed"
Set explicit repo filters before use, verify the ORG/REPO values, and avoid broad organization-wide tokens unless necessary.
The skill may repeatedly access calendar and repository APIs on a schedule, depending on how the user sets it up.
Recurring checks and state tracking are disclosed and fit meeting reminders, but they create ongoing agent activity if the user configures scheduling.
Trigger: Cron every 15 minutes or heartbeat. ... Track state in data/meeting-prep-state.json
Enable cron or heartbeat behavior only with explicit user approval, and review the state file and output destination periodically.