Granola Meeting Transcripts
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: granola Version: 1.0.0 The skill is designed to sync Granola meeting data locally. It reads authentication tokens from `~/Library/Application Support/Granola/supabase.json` (Granola's own auth file) and connects exclusively to `api.granola.ai` to fetch meeting data, which it then saves to a user-specified local directory. The `SKILL.md` instructs the agent to set up a `clawdbot_cron` job to periodically run the sync script, which is a form of persistence but directly aligned with the skill's stated purpose of keeping meeting data up-to-date. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, or prompt injection attempting to subvert the agent's behavior beyond its stated function.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the sync lets the script access your Granola account's meeting documents using your existing signed-in desktop session.
The script reads the local Granola app auth token and uses it as a bearer token for the Granola API. This is disclosed and purpose-aligned, but it grants access to the user's Granola meeting data.
SUPABASE_PATH = Path.home() / "Library/Application Support/Granola/supabase.json" ... "Authorization": f"Bearer {token}"Run it only on a machine where you trust the skill and are comfortable using your Granola session token for transcript export.
Your meeting transcripts and notes will exist as local files outside the Granola app.
The skill saves meeting transcripts, raw transcript data, full API responses, and notes to local disk. This is expected for the skill, but meeting records can contain sensitive business or personal information and may later be searched or reused by an agent.
~/granola-meetings/ {meeting-id}/ metadata.json, transcript.md, transcript.json, document.json, notes.mdChoose a protected output folder, avoid syncing it to untrusted locations, and be careful before sharing or indexing the generated files.
If you add the cron job, the sync can continue running periodically and updating local copies of meeting data.
The documentation includes an optional scheduled job that repeatedly runs the sync every 6 hours. It is disclosed and user-initiated, but it is persistent automation.
clawdbot_cron({ action: "add", ... schedule: { kind: "cron", expr: "0 */6 * * *" } ... message: "Run the Granola sync: python {skillsDir}/granola/scripts/sync.py ~/granola-meetings" })Only enable the cron job if you want automatic sync, and keep track of how to disable or remove it later.
Installing dependencies pulls code from the Python package ecosystem into the runtime environment.
The skill asks the user to install the Python `requests` package manually, without a pinned version or install spec. This is common and relevant to the script's API calls, but users should understand it is an external dependency.
pip install requests
Install from a trusted Python environment and consider pinning or reviewing the dependency if using this in a sensitive environment.