ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zoom Users API MCP

v1.0.0

MCP server for the Zoom Users API. Exposes Zoom Users' REST API as read-only MCP tools.

0· 226·0 current·0 all-time
byMike Quinlan@mjquinlan2000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a read-only MCP wrapper for the Zoom Users API. Declared required binaries (mcporter and zoom-users-mcp) and NODE_MCP_SECRET_KEY are plausible for an MCP server, so there is broad alignment. However, the skill does not declare or explain how it will authenticate to Zoom (no Zoom API key/token declared), nor does it provide a homepage or authoritative source for the zoom-users-mcp binary—this gap makes the purpose only partially justified by the declared requirements.
Instruction Scope
SKILL.md contains only minimal runtime instructions (how to call the MCP via mcporter). It does not instruct the agent to read unrelated files or env vars. But it is vague about how Zoom data is accessed, where Zoom credentials/config are stored, and whether the zoom-users-mcp binary will request or read other environment variables or config files—leaving unspecified behavior that could matter at runtime.
Install Mechanism
This is an instruction-only skill (no install spec), which minimizes direct installer risk. However, the skill depends on an external binary (zoom-users-mcp) and offers no install instructions or provenance; that forces users to obtain and run an executable from an external source (npm link in SKILL.md is the only hint). The absence of an install spec is low-risk by itself but shifts risk to the untracked binary the user must supply.
!
Credentials
The skill declares a single required env var (NODE_MCP_SECRET_KEY), which could reasonably be used to secure the MCP channel. But a Zoom Users API wrapper typically needs Zoom API credentials (JWT, OAuth token, API key/secret) or similar; those are not declared. Either the server expects Zoom credentials to be configured elsewhere (not declared) or the zip is incomplete. The mismatch means the skill may require additional undisclosed secrets at runtime.
Persistence & Privilege
The skill does not request 'always: true' and leaves model invocation enabled (default) — normal for skills. No config paths or system-wide modifications are declared. There is no evidence the skill requests elevated persistent privileges.
What to consider before installing
This skill is minimal and mostly just tells the agent how to call a local MCP server, but you should be cautious before installing or running it. Key points: - The SKILL.md does not explain how the MCP connects to Zoom or where Zoom API credentials come from; ask the publisher which Zoom credentials are required and how they should be supplied. - There is no install spec or homepage; the skill requires a 'zoom-users-mcp' binary but doesn't say where to get it beyond an npm package link. Inspect that npm package (or the binary) before running it — review its code, check the publisher identity, and prefer installing in a sandbox. - NODE_MCP_SECRET_KEY is required; treat it as a secret and ensure it only protects the local MCP channel. Verify the binary will not exfiltrate other secrets. - Because this is instruction-only, there's nothing for static scanning to inspect; the real risk comes from the external binary you must obtain. If you need to use this skill, request the author/publisher to: provide a trusted homepage/repo, add clear install instructions, and document required Zoom credentials and what env vars or files the binary reads. If you cannot verify the binary's provenance and behavior, do not run it on sensitive systems or with credentials present.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wdnqgebxaas85vfbn06vw982nwj0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter, zoom-users-mcp
EnvNODE_MCP_SECRET_KEY

Comments