Skillv1.0.0

ClawScan security

Meet.bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 5, 2026, 4:09 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions clearly require a Meet.bot API key (Bearer token) but the skill metadata does not declare any required credentials or env vars — an incoherence that could lead to accidental secret handling or improper storage.
Guidance: This skill appears to do what it says, but it fails to declare that it needs a Meet.bot API key. Before installing or using it: (1) ask the maintainer or publisher why no credential is declared in the metadata and request that the skill explicitly declare a primaryEnv for the Meet.bot token so the platform can handle it securely; (2) do not paste your production API key into free-text prompts — prefer platform-managed secret storage or a limited-scope/test token; (3) verify the domain (https://mcp.meet.bot) and the skill publisher identity (homepage/source missing); and (4) test with a disposable account or token first, and confirm the skill’s booking behavior (bookings cannot be cancelled via this server) to avoid accidental commitments.

Purpose & Capability: noteThe name and description (scheduling via mcp.meet.bot) match the SKILL.md tooling and workflows. However, the SKILL.md explicitly requires a Meet.bot API key, while the registry metadata lists no required credentials — the declared purpose is coherent but the credential handling is not.
Instruction Scope: okThe SKILL.md stays on-purpose: it lists API endpoints/tools, when to call them, required parameters, and warns to confirm bookings. It instructs the agent to ask the user for an API key before proceeding (no other unrelated files, paths, or external endpoints are referenced).
Install Mechanism: okNo install spec or code files are present (instruction-only), so nothing is written to disk or downloaded — this is the lowest-risk install model.
Credentials: concernThe runtime instructions require a Meet.bot API key (Bearer token), but requires.env / primary credential fields in the registry are empty. This mismatch means the platform won't advertise/verify the required secret, and the skill may prompt users to paste sensitive tokens ad-hoc (risking insecure handling or accidental transmission).
Persistence & Privilege: okThe skill does not request always:true, does not attempt to persist or modify other skills or agent-wide settings in the instructions, and is not requesting broad system privileges.