Skillv1.0.0

ClawScan security

Meetlark - coordinate a meeting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:23 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This instruction-only skill is coherent with its scheduling purpose (it calls meetlark.ai APIs and requires no extra system credentials); the main operational risk is the ambiguous instruction to 'store the admin token in your memory', which could persist longer than intended.
Guidance: Before installing: 1) Confirm you trust meetlark.ai (review their privacy policy and docs) because the skill will create polls on that external service and handle tokens. 2) Ask how your agent implements “memory” — if memory is persistent, consider avoiding automatic long-term storage of admin tokens or require explicit user approval to store them. 3) Understand what data the admin token grants (viewing who voted) and avoid creating polls containing highly sensitive participant lists. 4) If you need stronger control, perform poll creation manually (use the service UI) and provide only the participate URL to the agent. 5) Review the service's OpenAPI/ai-plugin manifest (links are provided) if you want to audit exact API behavior before enabling the skill.

Purpose & Capability: okName/description match the instructions: all runtime steps are HTTP calls to meetlark.ai endpoints to create polls, share participate links, check results, and close polls. No unrelated binaries, environment variables, or config paths are requested.
Instruction Scope: noteInstructions are narrowly scoped to interacting with the meetlark API and guiding the user (create poll, poll email verification status, share URL, view/close poll). One notable instruction: 'Store it in your memory for the poll's lifetime' (referring to the admin token). That is appropriate for functionality but ambiguous about how long/how/where the token is persisted by the agent and whether it will be retained beyond the poll lifetime.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes disk/write risk.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. All API access is handled at runtime via tokens returned by the service (admin/participate tokens), which is proportionate to the stated purpose.
Persistence & Privilege: concernalways:false and autonomous invocation are normal. The concern is the guidance to store admin tokens in agent memory: depending on the agent platform, 'memory' may be persistent and could allow future access to poll results or voter identities beyond the intended lifetime. The SKILL.md does not instruct token expiry/removal procedures.