Back to skill
Skillv1.0.0
ClawScan security
tencent-meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 10, 2026, 8:11 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its claimed Tencent Meeting functionality, but the package metadata omits the sensitive environment variables it actually requires and the publisher/source are unknown — this mismatch and lack of provenance merit caution.
- Guidance
- This skill's code implements the advertised Tencent Meeting API calls and will need your Tencent AK/SK and AppId/SdkId (and for transcripts an STS token). Before installing: 1) Treat the package as coming from an unknown/unverified publisher (no homepage/source provided); prefer an official SDK/plugin if available. 2) Do not provide high‑privilege or long‑lived account secrets — use a least‑privilege API key or temporary STS token where possible. 3) Note the registry metadata omitted the required env vars; assume the SKILL.md is authoritative. 4) Review the included scripts (you already have them) and test in an isolated environment to confirm behavior and network calls only go to api.meeting.qq.com. 5) If you must use it in production, ask the publisher for provenance or an official source and consider running the skill behind network monitoring or with token-scoped limits. If you are uncomfortable with an unknown publisher having API-level access to your Tencent Meeting account, do not install or provide credentials.
Review Dimensions
- Purpose & Capability
- noteThe scripts and SKILL.md implement Tencent Meeting operations (create/query meetings, list recordings, extract transcripts) and require Tencent API credentials — this is coherent with the stated purpose. However, the registry metadata lists no required env vars or primary credential while the SKILL.md and code clearly require TM_SECRET_ID, TM_SECRET_KEY, TM_APP_ID, TM_SDK_ID (and optionally TM_STS_TOKEN). That metadata omission is an inconsistency and could mislead users about what privileges are needed.
- Instruction Scope
- okRuntime instructions and the included scripts only construct signed requests to api.meeting.qq.com and print API responses; they do not reference unrelated system files or external endpoints beyond the Tencent Meeting API. The SKILL.md explicitly maps natural language inputs to specific script invocations and required parameters.
- Install Mechanism
- okThere is no install spec (instruction-only) so nothing is downloaded during install. The skill bundle does include Node scripts that will run when invoked. No external installers, archive downloads, or third-party package fetches are present in the manifest.
- Credentials
- concernThe scripts require multiple sensitive environment variables (TM_SECRET_ID, TM_SECRET_KEY, TM_APP_ID, TM_SDK_ID and optionally TM_STS_TOKEN) which are appropriate for AK/SK API access to Tencent Meeting. The concern is that the registry metadata did not declare these required credentials, so a user installing from the registry might not realize they'll need to provide these secrets. The code uses the secret key only to compute an HMAC signature (it is not directly transmitted), but supplying these credentials grants the skill full API access for the associated enterprise app — supply least-privilege or STS-limited credentials where possible.
- Persistence & Privilege
- okThe skill does not request always:true and will not be force-included. It doesn't attempt to modify other skills or system settings. Autonomous invocation is allowed by default (normal), but combined with the unknown publisher and missing metadata it increases the importance of the credential concerns above.