meeting-prep
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token or agent behavior is misused, it could expose or affect calendars and private repositories beyond the requested summaries.
The stated workflows read upcoming meetings and commit history, but these credentials are broad and can exceed that read-only purpose.
Authorize with scopes: `https://www.googleapis.com/auth/calendar` ... Create a classic Personal Access Token with `repo` scope. Store at `credentials/github_token`.
Use the narrowest available scopes, such as read-only Calendar access and a fine-grained GitHub token limited to selected repositories, and declare these credential requirements clearly.
A misconfigured organization or token could allow the agent to enumerate or summarize more repositories than intended.
The skill documents raw API calls using bearer tokens. This is purpose-aligned for commit summaries, but users must ensure the organization and repository targets are intentional.
curl -s -H "Authorization: Bearer $TOKEN" "https://api.github.com/orgs/ORG_NAME/repos?per_page=50&sort=pushed"
Set explicit repo filters before use, verify the ORG/REPO values, and avoid broad organization-wide tokens unless necessary.
The skill may repeatedly access calendar and repository APIs on a schedule, depending on how the user sets it up.
Recurring checks and state tracking are disclosed and fit meeting reminders, but they create ongoing agent activity if the user configures scheduling.
Trigger: Cron every 15 minutes or heartbeat. ... Track state in data/meeting-prep-state.json
Enable cron or heartbeat behavior only with explicit user approval, and review the state file and output destination periodically.