Skillv1.0.0

ClawScan security

Fathom · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:22 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (talk to Fathom's API) but it fails to declare that it requires a FATHOM_API_KEY and references a user home config file (~/.fathom_api_key), which is an inconsistency you should understand before installing.
Guidance: This skill's scripts appear to legitimately call Fathom's official API and implement the described features, but the registry metadata omitted the fact that the skill requires an API key and optionally reads ~/.fathom_api_key. Before installing: (1) Verify the skill source/trustworthiness (source/homepage unknown). (2) Expect to provide a FATHOM_API_KEY; prefer setting it as an environment variable rather than writing it to a file, and if you do store it in ~/.fathom_api_key keep file perms locked (chmod 600). (3) Be careful when running setup-webhook.sh: it will register a webhook that will deliver transcripts to whatever endpoint you provide — only use a trusted HTTPS endpoint and verify webhook signatures on your endpoint. (4) Note that the script prints the webhook secret to stdout; treat that output as sensitive. (5) If you need stronger assurance, run the scripts in an isolated/sandboxed environment first and inspect network traffic to confirm calls go only to api.fathom.ai. (6) Ask the publisher/registry to update metadata to declare FATHOM_API_KEY and the ~/.fathom_api_key config path so the requirement is explicit.

Review Dimensions

Purpose & Capability: concernName/description match the code: scripts call https://api.fathom.ai to list meetings, fetch transcripts/summaries, and register webhooks. However, the registry metadata lists no required environment variables or primary credential, while the scripts and SKILL.md clearly require an API key (FATHOM_API_KEY) and optionally read ~/.fathom_api_key. The missing declaration of the API key/config path is an incoherence.
Instruction Scope: noteRuntime instructions and scripts stay within the described scope: they use curl/jq to call the Fathom API endpoints and provide webhook registration. They do instruct the user to store an API key in ~/.fathom_api_key (or set FATHOM_API_KEY) and to provide a public HTTPS webhook endpoint; both are reasonable for the feature set but expand required operational setup. The scripts do not access or exfiltrate other local files or send data to non-Fathom endpoints (except the provided webhook URL which is user-controlled).
Install Mechanism: okThere is no install spec; the skill is a collection of shell scripts and documentation. No remote downloads or package installs are performed by the skill itself, minimizing install-time risk.
Credentials: concernThe skill requires a single API credential (FATHOM_API_KEY) to function, which is proportionate. But that credential and the config path (~/.fathom_api_key) are not declared in the registry metadata (required env vars and primary credential are empty). This mismatch is a red flag: the skill will silently fail without the key and the metadata doesn't warn users or the platform that a secret is needed. The scripts also print webhook secrets to stdout after registration, which could be exposed if the user runs them in an untrusted environment.
Persistence & Privilege: okThe skill does not request permanent inclusion (always: false) and does not modify other skills or system-wide configuration. It suggests storing an API key in a home file, but it does not itself write persistent files or change agent settings.