Fathom
v1.0.0Connect to Fathom AI to fetch call recordings, transcripts, and summaries. Use when user asks about their meetings, call history, or wants to search past conversations.
⭐ 1· 2.3k·8 current·9 all-time
byLucas Synnott@lucassynnott
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the code: scripts call https://api.fathom.ai to list meetings, fetch transcripts/summaries, and register webhooks. However, the registry metadata lists no required environment variables or primary credential, while the scripts and SKILL.md clearly require an API key (FATHOM_API_KEY) and optionally read ~/.fathom_api_key. The missing declaration of the API key/config path is an incoherence.
Instruction Scope
Runtime instructions and scripts stay within the described scope: they use curl/jq to call the Fathom API endpoints and provide webhook registration. They do instruct the user to store an API key in ~/.fathom_api_key (or set FATHOM_API_KEY) and to provide a public HTTPS webhook endpoint; both are reasonable for the feature set but expand required operational setup. The scripts do not access or exfiltrate other local files or send data to non-Fathom endpoints (except the provided webhook URL which is user-controlled).
Install Mechanism
There is no install spec; the skill is a collection of shell scripts and documentation. No remote downloads or package installs are performed by the skill itself, minimizing install-time risk.
Credentials
The skill requires a single API credential (FATHOM_API_KEY) to function, which is proportionate. But that credential and the config path (~/.fathom_api_key) are not declared in the registry metadata (required env vars and primary credential are empty). This mismatch is a red flag: the skill will silently fail without the key and the metadata doesn't warn users or the platform that a secret is needed. The scripts also print webhook secrets to stdout after registration, which could be exposed if the user runs them in an untrusted environment.
Persistence & Privilege
The skill does not request permanent inclusion (always: false) and does not modify other skills or system-wide configuration. It suggests storing an API key in a home file, but it does not itself write persistent files or change agent settings.
What to consider before installing
This skill's scripts appear to legitimately call Fathom's official API and implement the described features, but the registry metadata omitted the fact that the skill requires an API key and optionally reads ~/.fathom_api_key. Before installing: (1) Verify the skill source/trustworthiness (source/homepage unknown). (2) Expect to provide a FATHOM_API_KEY; prefer setting it as an environment variable rather than writing it to a file, and if you do store it in ~/.fathom_api_key keep file perms locked (chmod 600). (3) Be careful when running setup-webhook.sh: it will register a webhook that will deliver transcripts to whatever endpoint you provide — only use a trusted HTTPS endpoint and verify webhook signatures on your endpoint. (4) Note that the script prints the webhook secret to stdout; treat that output as sensitive. (5) If you need stronger assurance, run the scripts in an isolated/sandboxed environment first and inspect network traffic to confirm calls go only to api.fathom.ai. (6) Ask the publisher/registry to update metadata to declare FATHOM_API_KEY and the ~/.fathom_api_key config path so the requirement is explicit.Like a lobster shell, security has layers — review code before you run it.
latestvk97adw4b6pjkm9e495yezgygrs7z4n44
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📞 Clawdis
Binscurl, jq