ZOOM Meeting Admin
PassAudited by ClawScan on May 5, 2026.
Overview
No malicious behavior is shown; this is a disclosed Zoom admin helper, but it needs powerful Zoom server-to-server credentials and can read or change Zoom account data.
Install only if you are comfortable giving this skill Zoom Server-to-Server OAuth access. Use a dedicated Zoom app, grant the minimum scopes needed, protect both the .env file and ~/.zoom-s2s-token.json, and require explicit user approval before creating or deleting meetings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with access to these credentials can use the granted Zoom scopes to manage meetings and read account-related information.
The skill requires Zoom Server-to-Server OAuth credentials, which can act on the Zoom account without an interactive user login once configured.
ZOOM_ACCOUNT_ID=你的AccountID ZOOM_CLIENT_ID=你的ClientID ZOOM_CLIENT_SECRET=你的ClientSecret ... Token 获取方式:Server-to-Server OAuth,机器对机器,无需用户交互授权。
Create a dedicated Zoom Server-to-Server app for this skill, grant only the scopes you need, protect the .env file, and rotate/revoke credentials if they may have been exposed.
Misuse could schedule unwanted meetings or delete existing meetings from the connected Zoom account.
The script can create and delete Zoom meetings. Deletion is guarded by a --yes requirement, and SKILL.md also instructs the agent to confirm with the user.
elif action == "create_meeting":
...
elif action == "delete_meeting":
...
if "--yes" not in args:
print(f"⚠️ 即将删除会议 {args[0]},此操作不可撤销。"Confirm meeting details before creation, review meeting information before deletion, and do not allow agents to add --yes unless the user has explicitly approved the deletion.
A user reviewing only registry metadata may not realize before installation that the skill needs sensitive Zoom app credentials.
The registry metadata does not declare the credential/config requirement, while the skill documentation requires Zoom OAuth credentials in a .env file.
Required env vars: none Env var declarations: none Primary credential: none
Treat the .env setup as a sensitive credential step, and prefer metadata that clearly declares required Zoom credentials or configuration paths.