Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Book Google Meet
v1.0.7Create scheduled Google Calendar events with OPEN access Google Meet spaces.
⭐ 0· 304·0 current·0 all-time
by@kumadun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the included code: book_meeting.py implements Calendar event creation and uses the Meet API to look up and patch a Meet 'space' accessType. Requested OAuth scopes and the use of google-api-python-client are coherent for this purpose. However, the registry metadata supplied to the evaluator lists no required env vars or config paths while the SKILL.md and code expect client_secrets.json or GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET and write meeting_token.pickle — that mismatch is unexpected.
Instruction Scope
SKILL.md instructs the user to obtain OAuth credentials, install the Python packages, and run the script. The runtime instructions and the script operate only against Google APIs (Calendar and Meet) and only access client credential files, environment variables, and create a local token file. They do not attempt to read unrelated system files or send data to third‑party endpoints.
Install Mechanism
This is instruction-only with a small Python script and a requirements.txt; dependencies are standard google-auth packages pulled via pip. There is no remote arbitrary code download or obscure installer. Risk from the install mechanism itself is low, but running pip installs and executing the script will install code that interacts with Google APIs.
Credentials
The SKILL.md metadata and code expect OAuth client credentials (client_secrets.json or GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET) and will persist a pickled credentials token (meeting_token.pickle). The registry summary provided earlier reported no required env vars or config paths — that inconsistency is a red flag. Storing OAuth tokens as an unencrypted pickle in the working directory or default paths (~/.config/google-meet) may expose long‑lived credentials if file permissions are not handled carefully. The requested OAuth scopes include calendar and meetings.space.settings which are appropriate for the stated actions but still grant access to calendar events and Meet spaces.
Persistence & Privilege
The skill writes a token file (meeting_token.pickle) to disk and may create or use credential files in user config directories. It does not request always:true or modify other skills. Persisting OAuth tokens is expected for desktop OAuth flows, but you should be aware the token file represents authenticated access and should be protected/removed when not needed.
What to consider before installing
This skill appears to do what it says: create Google Calendar events and set Meet access. Before installing or running it: 1) Verify you trust the skill source — the registry metadata you were shown omits the credential and file requirements that the SKILL.md and code actually expect. 2) Only provide OAuth client credentials you control; prefer creating a dedicated Google Cloud project and OAuth client for this tool. 3) Be aware the script will run a local OAuth flow and persist credentials to meeting_token.pickle (and may look in ~/.config paths); protect or delete that file when done. 4) Review the code yourself (book_meeting.py is included) and consider running in an isolated environment if you have any doubt. 5) Note the tool can set Meet access to OPEN (anyone with the link can join) — ensure that is acceptable for your organization. If you want this to be lower risk, confirm the registry metadata is corrected to declare required env vars/files, or edit the script to store tokens in a secure location and limit scopes.Like a lobster shell, security has layers — review code before you run it.
latestvk972bq17xzf86e52awd8e5cyc182sgeb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.