ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zoom + Google Calendar

Create Zoom meetings and add them to Google Calendar events with proper conferenceData (icon, video entry, notes). Use when creating calendar events with Zoo...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 532 · 1 current installs · 1 all-time installs
byshaharsh@Shaharsha
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to create Zoom meetings and update Google Calendar — the included script does perform those actions. However the registry metadata did not declare a required Zoom credentials file while SKILL.md and the script do require a Zoom creds file (.credentials/zoom.json or ZOOM_CREDENTIALS). The script also depends on external CLIs (gog, jq, curl, base64) but the manifest lists no required binaries. These undeclared requirements are inconsistent with the stated metadata.
!
Instruction Scope
SKILL.md directs use of the provided shell script (allowed-tool: exec). The script reads local credential files, exports gog tokens, exchanges a refresh token with Google's OAuth endpoint, and patches a calendar event. It also reads /root/.config/gogcli/credentials.json (hardcoded) and $HOME/.openclaw/workspace/.credentials/zoom.json (or ZOOM_CREDENTIALS), which are not declared in the top-level requirements. The script defaults GOG_KEYRING_PASSWORD and GOG_ACCOUNT to hardcoded values if env vars are absent — this is unexpected and potentially confusing. Overall the instructions do what the description promises but request access to local credential files and assume specific filesystem locations beyond what the manifest declares.
Install Mechanism
There is no install spec (instruction-only plus an included script), which reduces install-time risk. However the script relies on external tools (gog CLI, jq, curl, base64) and on the presence of Zoom credentials JSON — these are not installed or declared by the package. Because no install occurs, nothing is written by the skill itself during install, but runtime will require existing CLIs and credentials.
!
Credentials
The registry lists two required env vars (GOG_KEYRING_PASSWORD, GOG_ACCOUNT) which match the gog usage. However the script also requires a Zoom credentials JSON (account_id, client_id, client_secret) and accepts ZOOM_CREDENTIALS env var to locate it; that credential file is not declared as a required resource in the registry metadata. The script reads Google client_id/secret from a hardcoded path (/root/.config/gogcli/credentials.json). The package therefore expects access to multiple sensitive secrets and files that are not fully documented in the manifest, which is disproportionate to the manifest's declared requirements.
Persistence & Privilege
The skill is not forced-always and does not request system-wide persistence. It creates a temporary file to export gog tokens and deletes it. It does not modify other skills or system config. Autonomous invocation is allowed (platform default) but not combined here with an 'always' flag or other elevated privileges.
What to consider before installing
This skill appears to implement exactly what it says (create Zoom meetings and patch Google Calendar events), but there are several red flags to resolve before using it: - Missing declarations: The registry did not list the Zoom credentials JSON file or required CLIs, but the script needs them. Confirm you have a valid zoom.json (account_id, client_id, client_secret) and that its path is secure. The script will read ZOOM_CREDENTIALS or $HOME/.openclaw/workspace/.credentials/zoom.json by default. - Required tools: The script calls gog, jq, curl and base64. Make sure those tools are installed and you trust their versions; the skill does not install them for you. - Hardcoded defaults and paths: The script defaults GOG_KEYRING_PASSWORD and GOG_ACCOUNT to apparent example values and reads Google client secrets from /root/.config/gogcli/credentials.json. Running this as root or relying on these defaults can leak or misuse credentials. Edit the script to use $HOME paths and remove unsafe defaults. - Secrets handling: The script exports tokens to a temp file briefly and then removes it — still, verify file permissions and avoid running the script in environments where other users can read temp files. Store Zoom and Google credentials with restrictive permissions. - Minimal testing: Before giving it real credentials, test with throwaway accounts and a controlled calendar event to confirm behavior. If you plan to use this skill: (1) ask the author to update the manifest to declare the Zoom credential requirement and required binaries; (2) remove hardcoded default values and root-only paths; (3) confirm how and where credentials are stored; and (4) inspect or adapt the script so it does not assume /root paths or insecure defaults.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9792c5sc4tq3v71aqfwn5w56581sv9r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📹 Clawdis
EnvGOG_KEYRING_PASSWORD, GOG_ACCOUNT

SKILL.md

Zoom + Google Calendar 📹

Create Zoom meetings via API and attach them to Google Calendar events — identical to the Zoom for Google Workspace add-on UI.

Quick Usage

bash skills/zoom-calendar/scripts/zoom_meeting.sh <event_id> "Meeting Title" "2026-03-01T11:50:00" 60

Parameters:

ParamDescriptionExample
event_idGoogle Calendar event IDdgth9d45bb93a0q7ohfnckq88k
topicMeeting title"Team Meeting"
start_timeISO format, no timezone (Jerusalem assumed)"2026-03-01T11:50:00"
durationMinutes (optional, default 60)45

Output: Join URL, Meeting ID, Password + event patched automatically.

Typical Workflow

  1. Create calendar event with gog calendar create
  2. Run zoom_meeting.sh with the event ID
  3. Done — conferenceData with icon, video link, and notes are set

Critical Rules

RuleDetail
iconUriUse EXACTLY the URL in the script — official Zoom Marketplace icon
entryPointsONLY video — no phone, no SIP
passcodeNot pin — field name matters
meetingCodeInclude the meeting ID here too
notesUse <br /> for line breaks (not \n)
descriptionLeave empty — don't duplicate info
locationLeave empty — Zoom link lives in conferenceData
DefaultDo NOT add Zoom unless explicitly requested

Auth Setup

Zoom (Server-to-Server OAuth)

Credentials: .credentials/zoom.json

{"account_id": "...", "client_id": "...", "client_secret": "..."}

Create at marketplace.zoom.us → Develop → Server-to-Server OAuth. Scopes: meeting:write:admin, meeting:read:admin.

Google Calendar

Uses gog CLI auth. The script handles token export + refresh automatically. Requires: GOG_KEYRING_PASSWORD and GOG_ACCOUNT env vars.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…