Zoom Calendar
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: zoom-calendar Version: 1.1.0 The script `scripts/zoom_meeting.sh` is vulnerable to JSON injection because it manually constructs API payloads for Zoom and Google Calendar using unescaped shell variables (e.g., `TOPIC`, `EVENT_ID`). Additionally, the script exports sensitive Google OAuth tokens to a temporary file in `/tmp`, which could lead to credential exposure if the script is interrupted before the file is deleted. While the logic aligns with the stated purpose of meeting integration, these implementation flaws represent significant security vulnerabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A leftover refresh token could let another process or user with local access reuse the Google account authorization.
The script writes the Google refresh token to a temporary file, but cleanup occurs only after later checks. If the script exits before the rm command, the refresh token can remain on disk.
GOG_TOKEN_FILE=$(mktemp) gog auth tokens export "$GOG_ACCOUNT" --out "$GOG_TOKEN_FILE" --overwrite 2>/dev/null REFRESH_TOKEN=$(jq -r '.refresh_token' "$GOG_TOKEN_FILE") ... if [ ! -f "$GOG_CREDS_FILE" ]; then ... exit 1 fi ... rm -f "$GOG_TOKEN_FILE"
Avoid exporting refresh tokens to disk if possible. At minimum, validate prerequisites before exporting, use a trap such as `trap 'rm -f "$GOG_TOKEN_FILE"' EXIT`, and ensure the temp file has restrictive permissions.
Installing it requires trusting the skill with powerful Zoom meeting permissions for the configured account.
The skill discloses Zoom Server-to-Server OAuth admin meeting scopes. These are expected for this integration style, but they are broader than ordinary per-user meeting creation.
Scopes: `meeting:write:admin`, `meeting:read:admin`.
Use the least-privileged Zoom app possible, restrict the app to the intended account, and revoke credentials if you stop using the skill.
Running the script changes real Zoom and Google Calendar data for the configured accounts.
The script performs direct API mutations: it creates a Zoom meeting and patches a Google Calendar event. This matches the stated purpose, but it is still account-changing behavior.
curl -s -X POST "https://api.zoom.us/v2/users/me/meetings" ...
curl -s -X PATCH "https://www.googleapis.com/calendar/v3/calendars/primary/events/${EVENT_ID}?conferenceDataVersion=1"Run it only after confirming the target Google account, calendar event ID, meeting title, time, and duration.
The skill may fail or behave unexpectedly if the local tools are missing, outdated, or replaced by untrusted binaries.
The skill depends on external local command-line tools. There is no install spec in the supplied artifacts, so users must supply and trust those tools themselves.
Required CLI tools: `gog`, `jq`, `curl`, `base64`
Install these tools from trusted sources and verify that `gog` is the intended Google Calendar CLI before using the skill.