meeting-prep
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: meeting-prep Version: 1.0.0 The skill 'meeting-prep' is designed for automated meeting preparation and daily commit summaries. It requires access to Google Calendar and GitHub APIs, necessitating the reading of API tokens from `credentials/client_secret.json`, `credentials/calendar_tokens.json`, and `credentials/github_token`. The `curl` commands shown in `SKILL.md` are used to interact with legitimate Google and GitHub API endpoints, which is consistent with its stated purpose. There is no evidence of unauthorized data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's security or intended function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token or agent behavior is misused, it could expose or affect calendars and private repositories beyond the requested summaries.
The stated workflows read upcoming meetings and commit history, but these credentials are broad and can exceed that read-only purpose.
Authorize with scopes: `https://www.googleapis.com/auth/calendar` ... Create a classic Personal Access Token with `repo` scope. Store at `credentials/github_token`.
Use the narrowest available scopes, such as read-only Calendar access and a fine-grained GitHub token limited to selected repositories, and declare these credential requirements clearly.
A misconfigured organization or token could allow the agent to enumerate or summarize more repositories than intended.
The skill documents raw API calls using bearer tokens. This is purpose-aligned for commit summaries, but users must ensure the organization and repository targets are intentional.
curl -s -H "Authorization: Bearer $TOKEN" "https://api.github.com/orgs/ORG_NAME/repos?per_page=50&sort=pushed"
Set explicit repo filters before use, verify the ORG/REPO values, and avoid broad organization-wide tokens unless necessary.
The skill may repeatedly access calendar and repository APIs on a schedule, depending on how the user sets it up.
Recurring checks and state tracking are disclosed and fit meeting reminders, but they create ongoing agent activity if the user configures scheduling.
Trigger: Cron every 15 minutes or heartbeat. ... Track state in data/meeting-prep-state.json
Enable cron or heartbeat behavior only with explicit user approval, and review the state file and output destination periodically.