ClawHub

Granola Meeting Transcripts

v1.0.0

Access Granola meeting transcripts and notes.

3· 2.2k·6 current·6 all-time
by@scald
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Granola meeting transcripts) align with the instructions to call a sync script and store meetings locally. However, the skill implicitly requires the Granola auth file at a macOS-specific path (~/Library/Application Support/Granola/supabase.json) even though the registry metadata lists no required config paths or credentials — that mismatch is noteworthy.
!
Instruction Scope
SKILL.md explicitly instructs running scripts/sync.py and reading a local supabase.json auth file. Reading that auth file is within the apparent purpose (to authenticate to Granola), but the instructions do not declare this config dependency in the manifest and do not show what the sync script does with the tokens (where it sends API requests, error handling, logging, or whether any data is forwarded elsewhere).
Install Mechanism
No install spec (instruction-only) — lowest install risk. SKILL.md asks the user to pip install 'requests' and run the provided Python script; that is a low-risk, typical dependency request. There is no remote download or archive extraction in the manifest.
!
Credentials
The skill requires access to a local auth file containing tokens but the manifest declares no required env vars or config paths. Access to a supabase.json with auth tokens is sensitive and should have been declared; the absence of declared credentials/config paths makes it unclear what secrets will be read and how they are used.
Persistence & Privilege
The skill itself is not marked 'always' and model invocation is not disabled. SKILL.md recommends setting up an automated clawdbot_cron job to run the sync periodically — that is a user-configured persistence mechanism (manual action by the user) rather than an implicit skill-level privilege, but it does increase how often the machine and tokens will be accessed if installed.
What to consider before installing
This skill appears to do what it says (sync Granola meetings), but it reads a macOS auth file (~/Library/Application Support/Granola/supabase.json) that contains tokens. Before installing or scheduling the cron job: (1) open and review scripts/sync.py to confirm it only calls Granola/Supabase endpoints and does not exfiltrate data to unknown hosts; (2) ensure you are comfortable with the script having read access to supabase.json (back up and inspect that file first); (3) prefer running the script manually once to observe network activity, or run it in a restricted environment; (4) ask the publisher to update the manifest to declare the required config path/credentials and to document exactly which endpoints the script contacts. If you cannot inspect the script or get clarification, treat this as higher-risk and avoid installing or scheduling automatic sync.

Like a lobster shell, security has layers — review code before you run it.

latestvk979nnxqyqxk22g5f0yrndd8w57yqxrt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥣 Clawdis
Binspython3

Comments