Meeting Summary
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with meeting summarization, but review it first because it handles sensitive recordings and has an unsafe voiceprint filename pattern that could write or delete JSON files outside its intended folder.
Install only if you are comfortable sending selected meeting recordings to StepFun and storing voiceprints/caches locally. Before using voiceprint enrollment or deletion, ensure speaker names are ordinary names without slashes or path-like characters, or wait for the skill to sanitize those inputs.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or adversarial speaker name could cause the skill to overwrite or delete local JSON files outside the voiceprint store.
The voiceprint name is used directly in filesystem paths for saving and deleting. A name containing path separators such as '../' could escape the intended voiceprint directory and write or delete accessible .json files.
path = os.path.join(VOICEPRINT_DIR, f"{name}.json") ... path = os.path.join(VOICEPRINT_DIR, f"{args.name}.json") ... os.remove(path)Reject names containing path separators, normalize and resolve paths, enforce that all writes/deletes remain inside the voiceprint directory, and require confirmation before deletion.
Using the skill can consume the user's StepFun account quota and relies on a locally stored provider credential.
The skill reads a StepFun API key from local files or environment variables and uses it as a bearer token for provider API calls.
KEY_FILE_CANDIDATES = ("~/.stepfun_api_key", "~/.step_api_key") ... "Authorization": f"Bearer {api_key}"Use a dedicated StepFun key with appropriate limits, store it with restrictive permissions, and ensure the registry metadata clearly declares this credential requirement.
Meeting recordings may leave the local machine and be processed by an external provider.
The transcription path uploads the selected audio file to StepFun's external ASR endpoint.
TRANSCRIPTIONS_URL = "https://api.stepfun.com/v1/audio/transcriptions" ... with open(file_path, "rb") as handle: data = handle.read() ... method="POST"
Only process recordings that are acceptable to send to StepFun, review provider data-handling terms, and avoid using this skill for highly confidential meetings unless that data flow is approved.
Names, voice embeddings, transcripts, or derived meeting metadata may remain on disk after processing.
The skill keeps persistent voiceprint embeddings and ASR/diarization cache files in the OpenClaw workspace.
memory/voiceprints/ # Enrolled speaker voiceprints ... cache/meeting-summary/ # ASR + diarization cache
Periodically review and delete cached meeting data and voiceprints that are no longer needed, and consider adding retention controls.
The installed behavior may vary over time depending on package/model changes or upstream availability.
The setup guide relies on external package and model downloads, with some packages not pinned to exact versions.
pip install pyannote.audio huggingface_hub soundfile torch ... curl -L "https://github.com/wenet-e2e/wespeaker/releases/download/v2.1/voxceleb_resnet34.onnx"
Pin dependency versions, verify model download checksums, and install from trusted sources.