Skill Vexa
v0.1.3Send bots to Zoom, Google Meet, and Microsoft Teams meetings. Get live transcripts, recordings, and reports. Works with Vexa Cloud or your own self-hosted in...
⭐ 2· 1.2k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the included scripts match: the code implements starting/stopping bots, fetching transcripts, creating reports, and webhook transforms for Vexa. However the registry metadata claimed no required env vars while SKILL.md and the scripts clearly require VEXA_API_KEY (and support per-endpoint API keys). That metadata mismatch is unexplained and should be corrected/clarified.
Instruction Scope
Runtime instructions and bundled scripts instruct the agent to run the included Node CLI scripts which: read and persist VEXA_API_KEY in skills/vexa/secrets, write reports into memory/meetings/, and read local OpenClaw files (e.g., openclaw.json, sessions.json) and cloudflared credentials to check webhook and session state. Reading other local config/session files and ~/.cloudflared is outside a minimal 'meeting bot' scope and increases sensitivity — the scripts do not transmit those local files externally in the repo, but they do access potentially sensitive tokens/config values locally.
Install Mechanism
No external install steps or downloads are requested; the skill is instruction + bundled scripts that run locally with node. There is no remote archive download or third-party package installation specified in the manifest.
Credentials
The skill actually requires VEXA_API_KEY (and optionally VEXA_BASE_URL), but the registry 'Required env vars' field lists none — this is an incoherence. The scripts also attempt to read OpenClaw-related files (openclaw.json, sessions.json) and cloudflared credentials in the user's home directory; those accesses are somewhat justifiable for webhook validation but are broader than just needing a single API key.
Persistence & Privilege
The skill does persist the API key into skills/vexa/secrets/vexa.env (and supports persisting state under secrets/). It does not request always:true. The scripts may execute child processes (spawnSync) to run onboarding/ingest flows — expected for a CLI. Autonomous invocation (disable-model-invocation: false) is the platform default; combined with the script's ability to read local OpenClaw config and sessions, this increases blast radius if the skill were compromised, so exercise caution.
What to consider before installing
Before installing: 1) Note the manifest omission — this skill requires a VEXA_API_KEY (set in env or skills/vexa/secrets/vexa.env). Don't paste API keys into chat; follow the onboarding flow and persist keys in a secrets file with proper file permissions. 2) The skill's scripts read local OpenClaw files (openclaw.json, sessions.json) and may inspect ~/.cloudflared credentials to validate webhooks — these files can contain tokens or sensitive config. Only install if you trust the skill source and are comfortable it can read those files. 3) The skill will write reports into your workspace (memory/meetings/) and can persist state under skills/vexa/secrets/. Ensure those paths are excluded from version control and review their contents after use. 4) Consider testing in an isolated environment (throwaway workspace or VM) first, and review the bundled scripts (which are included) to confirm behavior you are comfortable with. 5) If you want to proceed but reduce exposure: set VEXA_API_KEY only in environment (not in skill secrets), avoid enabling public webhook tunnels until you verify security, and verify openclaw.json and sessions.json contents before allowing the skill to read them. If you need the skill for production use, ask the author to fix the registry metadata (declare required env) and to document precisely what local files the scripts will read and why.Like a lobster shell, security has layers — review code before you run it.
latestvk97a7amj3ecga2ybmq1z2gpzzd82ag0p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.