Zoom Meetings

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note

ASI03: Identity and Privilege Abuse

What this means

Anyone using the skill should understand that it can act on the configured Zoom account, including listing, creating, retrieving, and deleting meetings.

Why it was flagged

The skill uses local Zoom Server-to-Server OAuth credentials, which is expected for Zoom API access but gives the skill delegated authority over Zoom meetings.

Skill content

**Credentials location:** `~/.openclaw/credentials/zoom.json`

Recommendation

Use a Zoom app with the minimum required scopes, protect the credential file, and only enable this skill where meeting-management actions are appropriate.

Note

ASI02: Tool Misuse and Exploitation

What this means

If the agent misunderstands a request, it could cancel the wrong Zoom meeting.

Why it was flagged

Deleting meetings is a user-visible account mutation. This is part of the stated purpose, but the instructions do not require an explicit confirmation before deletion.

Skill content

### 4. delete_meeting

Delete a Zoom meeting.

Recommendation

Ask for explicit confirmation before deleting a meeting, especially when the request is ambiguous or the meeting ID was inferred.

Note

ASI02: Tool Misuse and Exploitation

What this means

Participants may be able to join before the host and without waiting-room admission, which may be inappropriate for sensitive meetings.

Why it was flagged

New meetings are created with join-before-host enabled and waiting room disabled. This is not hidden, but it is a meeting-security-relevant default.

Skill content

"settings": {
                "join_before_host": True,
                "mute_upon_entry": False,
                "waiting_room": False
            }

Recommendation

Review and adjust the default meeting security settings before using this skill for confidential or public meetings.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may fail or rely on packages already present in the environment, and users have less clarity about dependency installation.

Why it was flagged

The skill references Python dependencies, but the supplied install specifications say there is no install spec. This is an under-declared setup detail rather than evidence of malicious behavior.

Skill content

- `requests` - For HTTP requests to Zoom API
- `pytz` - For timezone conversions (installed automatically)

Recommendation

Declare dependencies and installation steps explicitly, preferably with pinned package versions.