Fathom
WarnAudited by ClawScan on May 10, 2026.
Overview
The Fathom skill mostly matches its stated purpose, but its webhook setup can persistently send sensitive meeting transcripts and summaries, including shared or team recordings, to a supplied public endpoint.
Use the on-demand list, transcript, and summary commands only with a Fathom API key you are comfortable granting. Be especially careful with setup-webhook.sh: only use it with an endpoint you control, understand that it may include shared/team recordings by default, and delete the webhook if you no longer need automatic ingestion.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You have less information to verify who maintains the skill before giving it access to your Fathom account.
The registry does not provide provenance or a project homepage. This is not malicious by itself, but it matters because the skill handles API credentials and meeting data.
Source: unknown; Homepage: none
Review the included scripts and only use the skill if you trust the publisher or can verify the code yourself.
Anyone or any process that can read the configured key may be able to access Fathom meeting data available to that API key.
The skill requires a Fathom API key stored locally or in an environment variable. That is expected for this integration, but it grants access to meeting records, transcripts, and summaries.
echo "YOUR_API_KEY" > ~/.fathom_api_key chmod 600 ~/.fathom_api_key # Option B: Environment variable export FATHOM_API_KEY="YOUR_API_KEY"
Use a dedicated Fathom API key with the minimum available scope, keep ~/.fathom_api_key restricted, and rotate the key if you stop using the skill.
If this webhook is enabled, sensitive meeting content may be automatically delivered to a public endpoint for more recordings than the user expected, including shared or team meetings.
The webhook setup defaults to sending transcripts, summaries, and action items to a user-supplied HTTPS endpoint, and it registers broad recording categories including shared external and team recordings.
INCLUDE_TRANSCRIPT=true INCLUDE_SUMMARY=true INCLUDE_ACTION_ITEMS=true ... "destination_url": "$WEBHOOK_URL", ... "triggered_for": ["my_recordings", "shared_external_recordings", "my_shared_with_team_recordings", "shared_team_recordings"]
Do not run the webhook setup unless you control the destination endpoint and want automatic ingestion. The skill should document the recording categories clearly, default to the narrowest scope, and require explicit confirmation before enabling broad transcript delivery.