Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Meeting Prep Agent
v1.1.0Never walk into a meeting unprepared again. Your agent researches all attendees before calendar events—pulling LinkedIn profiles, recent company news, mutual connections, and conversation starters. Generates a briefing doc with talking points, icebreakers, and context so you show up informed and confident. Triggered automatically before meetings or on-demand. Configure research depth, advance timing, and output format. Walking into meetings blind is amateur hour—missed connections, generic small talk, zero leverage. Use when setting up meeting intelligence, researching specific attendees, generating pre-meeting briefs, or automating your prep workflow.
⭐ 0· 1.1k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (meeting research using LinkedIn, news, mutual connections) aligns with needing calendar access (it declares dependency on the 'gog' calendar skill and GOOGLE_CALENDAR_ENABLED). However, performing reliable LinkedIn/company research or mutual-connection mapping typically requires additional tooling, APIs, or credentials (or explicit web-fetch code). The package only requests a single env var (GOOGLE_CALENDAR_ENABLED) and relies on 'gog' for calendar access, which is minimal but not obviously sufficient for the full advertised capability.
Instruction Scope
SKILL.md instructs the agent to fetch LinkedIn profiles, news, and mutual connections, and to auto-trigger before events. The included scripts (prep.sh, auto-prep.sh, brief.sh) are scoped to reading the skill's config, producing and storing briefs, and calling a (commented) gog calendar integration. Critically, the research functions in prep.sh are mock placeholders that return generated data rather than performing live web_search/web_fetch calls. There are no instructions in the shipped scripts that read unrelated system files or exfiltrate data, but SKILL.md implies external web queries that the current code does not implement.
Install Mechanism
No install spec — instruction-only with accompanying scripts — so nothing is downloaded from third-party URLs at install time. Scripts are provided as plain shell files; that is low-install risk compared with arbitrary remote installers.
Credentials
The skill declares a single required env var (GOOGLE_CALENDAR_ENABLED) and a dependency on the gog skill for calendar access, which is proportionate for calendar-triggered behavior. That said, the skill promises LinkedIn/news research and 'mutual connections' mapping without requesting any LinkedIn/CRM/API credentials or documenting how those data are accessed — an omission that could indicate incomplete implementation or future changes that would require additional secrets. setup.sh also checks for the existence of gog's config file (~/.config/gog/config.json), meaning the skill will rely on other local credential artifacts even though they are not explicitly listed in requires.env.
Persistence & Privilege
always is false; the skill does not request forced always-on installation. Scripts create and manage files under the user's ~/.config/meeting-prep directory (config.json, briefs, logs, history) which is a normal and limited footprint. The skill does not modify other skills or global agent settings.
What to consider before installing
This skill is not outright malicious, but there are important inconsistencies and privacy implications to consider before enabling it:
- The description promises live web research (LinkedIn profiles, mutual connections, recent news), but the included scripts currently produce mock data rather than performing web fetches. That could mean the skill is a template/incomplete or that real web-scraping/network code may be added later. Treat the current package as a scaffolding, not a finished scraper.
- The skill relies on the 'gog' calendar integration and will create config and brief files under ~/.config/meeting-prep. Review those files and the paths before permitting automated runs. If you enable cron-based auto-prep, the scripts will run on a schedule and write briefs/logs locally.
- If you plan to use real LinkedIn/company data, ask how that data will be fetched: does the skill call external services, a third-party server, or local CLI tools? If real network calls are added, check what endpoints are contacted and whether any credentials (LinkedIn/CRM/API tokens) are requested or stored.
- Safe steps before enabling permanently:
1) Run scripts/setup.sh and then run prep.sh with --dry-run to inspect outputs and ensure nothing unexpected runs. The scripts support --dry-run.
2) Inspect ~/.config/meeting-prep for generated files and confirm their contents are acceptable.
3) If network-enabled research is required, request a version that explicitly documents which services/endpoints it uses and what credentials (if any) it needs; avoid giving third-party tokens unless you trust the source.
4) Because the skill's source/homepage are unknown, prefer local dry-runs and review the code yourself or with a trusted engineer before enabling cron-based auto-prep.
What would change this assessment: if you provide evidence that the skill actually performs live web fetches and those fetches go only to public sources (and no secret exfiltration occurs), and/or the package documents and declares any additional required credentials (LinkedIn/CRM/API) and the install mechanisms, the verdict could move toward benign. Conversely, if future commits add network calls to untrusted endpoints or request unrelated credentials, treat the skill as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk974shsj4hz8sp7sq22sgvsd9980yhkq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎯 Clawdis
EnvGOOGLE_CALENDAR_ENABLED