Zoom Calendar
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims, but it directly handles high-privilege Zoom/Google credentials and can leave a Google refresh token in a temporary file if it errors.
Review before installing. This skill is coherent for Zoom plus Google Calendar scheduling, but it needs powerful Zoom and Google account access. Only use it with accounts you intend to modify, verify the event ID before running it, and fix or harden the temporary-token cleanup before relying on it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leftover refresh token could let another process or user with local access reuse the Google account authorization.
The script writes the Google refresh token to a temporary file, but cleanup occurs only after later checks. If the script exits before the rm command, the refresh token can remain on disk.
GOG_TOKEN_FILE=$(mktemp) gog auth tokens export "$GOG_ACCOUNT" --out "$GOG_TOKEN_FILE" --overwrite 2>/dev/null REFRESH_TOKEN=$(jq -r '.refresh_token' "$GOG_TOKEN_FILE") ... if [ ! -f "$GOG_CREDS_FILE" ]; then ... exit 1 fi ... rm -f "$GOG_TOKEN_FILE"
Avoid exporting refresh tokens to disk if possible. At minimum, validate prerequisites before exporting, use a trap such as `trap 'rm -f "$GOG_TOKEN_FILE"' EXIT`, and ensure the temp file has restrictive permissions.
Installing it requires trusting the skill with powerful Zoom meeting permissions for the configured account.
The skill discloses Zoom Server-to-Server OAuth admin meeting scopes. These are expected for this integration style, but they are broader than ordinary per-user meeting creation.
Scopes: `meeting:write:admin`, `meeting:read:admin`.
Use the least-privileged Zoom app possible, restrict the app to the intended account, and revoke credentials if you stop using the skill.
Running the script changes real Zoom and Google Calendar data for the configured accounts.
The script performs direct API mutations: it creates a Zoom meeting and patches a Google Calendar event. This matches the stated purpose, but it is still account-changing behavior.
curl -s -X POST "https://api.zoom.us/v2/users/me/meetings" ...
curl -s -X PATCH "https://www.googleapis.com/calendar/v3/calendars/primary/events/${EVENT_ID}?conferenceDataVersion=1"Run it only after confirming the target Google account, calendar event ID, meeting title, time, and duration.
The skill may fail or behave unexpectedly if the local tools are missing, outdated, or replaced by untrusted binaries.
The skill depends on external local command-line tools. There is no install spec in the supplied artifacts, so users must supply and trust those tools themselves.
Required CLI tools: `gog`, `jq`, `curl`, `base64`
Install these tools from trusted sources and verify that `gog` is the intended Google Calendar CLI before using the skill.