Skillv1.0.0

ClawScan security

meeting-notetaker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 6, 2026, 3:05 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions ask the agent to source local context and read Google Calendar credentials from system paths, but the skill metadata declares no required config paths or credentials — this mismatch and the explicit 'source' instruction are concerning.
Guidance: This skill's instructions explicitly tell the agent to 'source' a local .context file and to read Google Calendar credentials from a hardcoded path, but the skill metadata declares no required secrets or config paths. Sourcing a file can run arbitrary shell code and will expose any variables or secrets inside it. Before installing or enabling this skill: 1) ask the publisher to update the manifest to declare required config paths and credentials (and explain why each is needed), 2) inspect the actual .context and credentials files the skill will read to ensure they contain only expected configuration (not executable code or unrelated secrets), 3) confirm that the MCP tools referenced (get_notetaker_meetings, monday-api-mcp__create_item) exist and are trusted, and 4) if you cannot verify these, avoid enabling the skill or run it in an isolated/test account. The mismatch between declared requirements and runtime behavior is the main concern.

Review Dimensions

Purpose & Capability: concernThe described purpose (fetch monday.com Notetaker meeting notes and optionally prepare 'next meeting' context) is reasonable, but the SKILL.md requires access to local Google Calendar credentials (/opt/ocana/openclaw/.gog/credentials.json) and a local .context file. The skill metadata declares no required env vars or config paths, so the runtime requirements do not match the manifest. Requesting Google Calendar access is coherent for 'next meeting' mode, but it should be declared explicitly; the current mismatch is unexplained.
Instruction Scope: concernThe instructions tell the agent to source a local file (.context) and to directly use Google Calendar API with credentials from a hardcoded local path. Sourcing arbitrary files (source "$CONTEXT_FILE") can execute code and expose any variables in that file. The SKILL.md also references MCP tools (get_notetaker_meetings, monday-api-mcp__create_item) without declaring them. The instructions therefore access local secrets and execute shell operations outside the stated manifest scope.
Install Mechanism: okNo install spec or code files are included; the skill is instruction-only, so there is nothing being downloaded or installed by the manifest itself.
Credentials: concernThe manifest lists no required environment variables or config paths, yet runtime instructions expect OWNER_EMAIL, CALENDAR_ID, GOG_CREDS and a specific credentials file. That is disproportionate and opaque: a skill that needs Google credentials should declare them explicitly and justify access. The implicit expectation that sensitive credential files exist at hardcoded paths is a red flag.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges in metadata. However, because it instructs the agent to read local credential files and source a local .context file, an autonomously-invoked agent could access those secrets whenever the skill runs. This is a notable operational risk even though 'always' is false.