Skillv1.0.0

ClawScan security

Join meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 10:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (joining meetings), but there are notable mismatches and risky behaviors — most importantly an undeclared persistent API key requirement, automatic first-call demo that can consume credits, and a tunnel that can expose local services — so review before using.
Guidance: Before installing or running this skill, be aware it requires and will persist an AgentCall API key (AGENTCALL_API_KEY or ~/.agentcall/config.json) even though the registry metadata omitted this. The skill can automatically start a tunnel that proxies remote requests to your localhost (used for avatar/webpage/screen-share modes) — this can expose local web services or data. It also recommends running a 'first-call' full demo (avatar + screenshare) without asking the user, which may consume account credits. Recommendations: - Treat the API key as sensitive: prefer setting AGENTCALL_API_KEY in the environment temporarily rather than saving to ~/.agentcall/config.json. If you must save it, store it in a restricted-location and review the file first. - Review the included source (agentcall.py, tunnel.py, bridge/join) yourself (or run in an isolated container/VM) to confirm behavior and to disable automatic saving/first-call defaults. - If you must use webpage/screen-share modes, prefer providing a public webpage-url (avoids tunneling) or run the skill on a machine/network compartment with no sensitive local services exposed. - Consider setting defaults to audio-only or disabling first-call automatic demo to avoid unexpected credit usage; monitor your AgentCall account for charges. - Verify the skill origin: plugin.json points to pattern-ai-labs/agentcall on GitHub and agentcall.dev — confirm those upstream sources match the packaged code and the maintainer identity before trusting persistent credentials. If you want, I can point out exact lines to change to prevent persistent saving, disable automatic first-call demo, or restrict tunnel behavior.

Review Dimensions

Purpose & Capability: concernName/description (join meetings as an AI bot) align with the code and scripts provided (bridge, join, agentcall client, tunnel, UI templates). However the skill metadata declared no required env vars/config, while both SKILL.md and the code require an AGENTCALL_API_KEY or ~/.agentcall/config.json; that's an explicit mismatch (metadata omission) and should be corrected/clarified.
Instruction Scope: concernSKILL.md and code instruct the agent to read/write ~/.agentcall/config.json, persist defaults silently, and to run local servers and a tunnel for webpage/screen-share modes. The document also tells the agent to not ask for consent for the 'first-call demo' (webpage-av-screenshare) and to save defaults after the call — this gives the skill scope to persist credentials and to start modes that may expose local content or incur billing without an explicit per-call prompt.
Install Mechanism: noteThere is no separate install spec but many source files are included (Python/Node). Dependencies are standard (aiohttp, websockets, ws) and no arbitrary binary downloads are used. Risk from install itself is low, but the package includes runtime network code (tunnel, remote API calls) so runtime behavior — not the install — is the main surface to review.
Credentials: concernThe skill needs an AGENTCALL_API_KEY (and optionally AGENTCALL_API_URL) but the registry declared none — a proportionality/declared-requirement mismatch. The skill also instructs saving the API key persistently to ~/.agentcall/config.json. Additionally, the TunnelClient will proxy remote requests to local ports (localhost), which can expose local services or data to the remote server when webpage/screen-share modes and tunnels are used.
Persistence & Privilege: concernThe skill writes persistent state: ~/.agentcall/config.json (API key, defaults) and a local crash-recovery state file (.agentcall-state.json). It automatically saves 'first-call' defaults and recommends not asking the user for API key each session. While not using always:true, this persistent behavior can store secrets and change future behavior without explicit per-call consent (and can cause billing/credit use).