ClawHub

Zoom Meetings

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it can delete Zoom meetings using stored account credentials without a documented confirmation step.

Install only if you want OpenClaw to act on the configured Zoom account. Use least-privilege Zoom app scopes, protect the credential file, verify timezone defaults, and manually require confirmation before any delete request.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes capabilities to read local credential files and make outbound network requests, but it does not declare corresponding permissions or constraints. This weakens governance and user/agent visibility into what the skill can access, increasing the chance of unintended secret access or unreviewed external calls.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger text is broad enough to invoke the skill whenever a user casually mentions Zoom, even if they are not asking to manage meetings. Because the skill supports destructive and sensitive operations, over-invocation can cause unintended API actions, data exposure, or unsafe parameter collection in the wrong context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill includes a delete_meeting action but does not warn users that deletion is destructive or recommend confirmation before execution. In an agent setting, this omission increases the risk of accidental irreversible actions from ambiguous or mistaken requests.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
Defaulting meeting creation to a specific timezone without user opt-in can silently schedule meetings at incorrect times for many users. In a scheduling skill, this can cause missed meetings, confusion, and unintended disclosure of availability or operational disruption.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill performs destructive deletion of meetings immediately once invoked, with no confirmation step, dry-run mode, or safeguard against accidental or prompt-induced misuse. In an agent context, this increases the risk of unintended deletion from ambiguous user input or malicious prompt manipulation.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
- Create: `POST /users/me/meetings`
- Get: `GET /meetings/{meetingId}`
- List: `GET /users/me/meetings`
- Delete: `DELETE /meetings/{meetingId}`

## Defaults
Confidence
88% confidence
Finding
DELETE /meetings/{meetingId}`

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal