ZOOM Meeting Admin
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: zoom-meeting-admin Version: 1.0.1 The skill bundle provides a legitimate interface for managing Zoom meetings via the Server-to-Server OAuth REST API. The core script (scripts/zoom-s2s.py) is well-structured, uses standard Python libraries without external dependencies, and includes security best practices such as restricting file permissions (0600) on cached authentication tokens. The instructions in SKILL.md include safety guidelines for the AI agent, such as requiring user confirmation before deleting meetings, and no evidence of malicious intent, data exfiltration, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with access to these credentials can use the granted Zoom scopes to manage meetings and read account-related information.
The skill requires Zoom Server-to-Server OAuth credentials, which can act on the Zoom account without an interactive user login once configured.
ZOOM_ACCOUNT_ID=你的AccountID ZOOM_CLIENT_ID=你的ClientID ZOOM_CLIENT_SECRET=你的ClientSecret ... Token 获取方式:Server-to-Server OAuth,机器对机器,无需用户交互授权。
Create a dedicated Zoom Server-to-Server app for this skill, grant only the scopes you need, protect the .env file, and rotate/revoke credentials if they may have been exposed.
Misuse could schedule unwanted meetings or delete existing meetings from the connected Zoom account.
The script can create and delete Zoom meetings. Deletion is guarded by a --yes requirement, and SKILL.md also instructs the agent to confirm with the user.
elif action == "create_meeting":
...
elif action == "delete_meeting":
...
if "--yes" not in args:
print(f"⚠️ 即将删除会议 {args[0]},此操作不可撤销。"Confirm meeting details before creation, review meeting information before deletion, and do not allow agents to add --yes unless the user has explicitly approved the deletion.
A user reviewing only registry metadata may not realize before installation that the skill needs sensitive Zoom app credentials.
The registry metadata does not declare the credential/config requirement, while the skill documentation requires Zoom OAuth credentials in a .env file.
Required env vars: none Env var declarations: none Primary credential: none
Treat the .env setup as a sensitive credential step, and prefer metadata that clearly declares required Zoom credentials or configuration paths.