Skillv1.0.0

ClawScan security

Meeting Prep Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 11:14 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions ask the agent to research external sources and read/save user files/memory and calendar/CRM data, but the skill metadata declares no required integrations or credentials — the capability footprint is under‑specified and ambiguous.
Guidance: This skill's behavior is plausible for a meeting-prep tool, but it under-specifies what data sources and permissions it needs. Before installing: 1) Ask the author for a full list of integrations and required credentials (calendar, CRM, cloud storage, company databases) and how authentication is handled. 2) Confirm where memory/meeting-prep files are stored and who can read them. 3) Request explicit limits on what files the agent may read and any external endpoints it will query or post to. 4) If you must test, run it in a restricted/sandbox environment with non-sensitive data and monitor what files/network requests it makes. 5) Prefer skills that declare necessary env vars and integration scopes so you can apply least privilege. Additional information (explicit integration docs, declared env vars/permissions, or an author/homepage) would increase confidence and could change the verdict to benign.

Review Dimensions

Purpose & Capability: concernThe described purpose (pre-meeting research, agendas, talking points, post-meeting capture) legitimately requires access to external information (news, public company data) and to private data (prior invoices, contracts, notes, calendar). The skill metadata declares no required environment variables, credentials, or config paths for calendar/CRM/file storage access, creating an incoherence between purpose and declared requirements.
Instruction Scope: concernSKILL.md explicitly instructs the agent to "research" companies (recent news), and to "pull" prior invoices, contracts, communications, or notes from memory/files and to save outputs under memory/... — these are broad file- and data-access operations. The instructions are operationally vague about which storage/system to access and do not limit what the agent should read, giving the agent wide discretion to access user memory and files.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so there is no additional install-time code being fetched or written to disk.
Credentials: concernNo environment variables, credentials, or config paths are declared, yet the skill expects access to calendar, CRM, contracts, invoices, and the agent's memory/files. That under-declaration is a red flag: integrations that would normally require tokens/credentials are not listed, so it's unclear what permissions the skill will need or assume.
Persistence & Privilege: notealways is false and the skill writes outputs to memory/ paths (expected for a prep tool). Autonomous invocation is allowed (platform default). There is no indication it modifies other skills or global agent settings, but combined with the other concerns, autonomous access could increase risk.