Skillv1.0.0

ClawScan security

Meixin Meeting Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 3:56 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (upload audio → call Fun‑ASR → produce minutes) is coherent, but there are notable red flags—most importantly a hard-coded API key fallback in the code and SKILL.md and the routine transmission of sensitive meeting audio/text to an external service—so you should review provenance, credentials, and privacy before installing.
Guidance: Things to check before installing/using: - The skill will upload full meeting audio and transcribed text to dashscope.aliyuncs.com (a third party). Confirm the service is trusted and that you are allowed to send this sensitive data. Ask about their data retention, access control, and deletion policy. - The code and SKILL.md include a hard-coded API key fallback. Treat that as suspicious: do not rely on it. Ask the author why a default key is embedded, remove it, and ensure you provide your own managed DASHSCOPE_API_KEY. Rotate/revoke any exposed keys. - Verify the skill's provenance (who published it, whether the owner is known/reputable). The package has no homepage and unknown source—prefer internal or vendor-signed skills for sensitive corp data. - Confirm the agent environment actually has the upload_to_cdn capability (the instructions reference it but it isn't clearly declared) or be prepared to provide a public CDN URL yourself. - If you must use this, test on non-sensitive audio first (or scrub PII) and monitor for unexpected network activity. Request a privacy/data-flow statement from the author explaining what is sent to the ASR provider and what metadata is stored locally. What would change this assessment to benign: removing the hard-coded credential, explicit publisher provenance (company-verified author), and a clear privacy/retention policy from the ASR provider confirming acceptable handling of internal meeting data.

Review Dimensions

Purpose & Capability: noteThe name/description (internal meeting transcription + structured minutes) matches the code and instructions: it needs an ASR API key and access to workspace meeting memory for speaker attribution and knowledge linking. Minor mismatch: SKILL.md references an upload_to_cdn tool but that tool is not listed among declared optional tools (only audios_understand, exec, write are listed). This is likely a documentation/tooling oversight, not a fundamental mismatch.
Instruction Scope: noteRuntime instructions and the included script only perform: obtain a publicly accessible CDN URL for the audio, submit it to dashscope.aliyuncs.com Fun‑ASR, poll for results, and save transcripts to /workspace/memory/meetings/. The skill also reads /workspace/memory/knowledge_index.json and archived meeting files for speaker attribution, which is coherent with the stated purpose. The functional scope is reasonable, but it does transmit full meeting audio and transcribed text to a third‑party service (sensitive data exfiltration risk by design).
Install Mechanism: okNo install spec; this is instruction-only with a helper script. Nothing is downloaded from arbitrary URLs or written to system locations beyond declared workspace paths. That minimizes installation-time risk.
Credentials: concernThe skill declares a single required env var (DASHSCOPE_API_KEY), which is proportionate. However both SKILL.md and scripts include a hard-coded fallback API key string (looks like a Bearer-style secret). Hard-coded credentials in published code are a serious red flag: they can be accidental (test key), leaked, or intentionally placed to make the skill use someone else's credential. This increases the risk of unintended billing, abuse, or credential exposure. No other unrelated secrets are requested.
Persistence & Privilege: okalways is false (no forced inclusion). The skill writes transcripts into /workspace/memory/meetings/ (declared in metadata) and reads declared memory files; it does not request system-wide config or other skills' credentials. Autonomy (model invocation allowed) is default and not by itself a problem.