ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zoom Calendar

v1.1.0

Create Zoom meetings and add them to Google Calendar events with proper conferenceData (icon, video entry, notes). Use when creating calendar events with Zoo...

1· 721·0 current·1 all-time
byshaharsh@shaharsha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Zoom + Google Calendar) align with required env vars, CLI tools, and credential files. The script talks only to Zoom and Google endpoints and requires Zoom S2S credentials plus gog/Google OAuth, which is appropriate for the task. Minor inconsistency: metadata lists .credentials/zoom.json but the script defaults to $HOME/.openclaw/workspace/.credentials/zoom.json unless ZOOM_CREDENTIALS is set.
Instruction Scope
SKILL.md and the included bash script limit actions to creating a Zoom meeting, obtaining Google access tokens via gog, and PATCHing the specified calendar event's conferenceData. The script reads declared credential files and the two declared env vars, uses mktemp for a transient token file (deleted), and only calls zoom.us, oauth2.googleapis.com, and www.googleapis.com.
Install Mechanism
No install spec — instruction-only with an included script. No downloads or extraction from remote URLs. Risk is low because nothing is written to system paths besides a temporary token file that the script removes.
Credentials
Requested env vars (GOG_KEYRING_PASSWORD, GOG_ACCOUNT) are justified for gog/Google auth. The Zoom credentials are read from a file (configurable via ZOOM_CREDENTIALS) which is appropriate. Note the small mismatch between the metadata-declared credentials path and the script's default path; ensure your Zoom credentials are stored at the path the script expects or set ZOOM_CREDENTIALS.
Persistence & Privilege
always:false and the skill does not request persistent system-wide privileges or modify other skills. It requires permission to modify calendar events (expected). The agent-executable default is normal.
Assessment
This skill appears to do what it says: create a Zoom meeting and attach it to a Google Calendar event. Before installing, verify and store the Zoom Server-to-Server credentials file securely (or set ZOOM_CREDENTIALS to the correct path), confirm you are comfortable granting the gog CLI access to the Google account specified by GOG_ACCOUNT, and review the script if you want to ensure no additional behavior. Also confirm the script's default Zoom credentials path ($HOME/.openclaw/workspace/.credentials/zoom.json) matches where you keep the file or set ZOOM_CREDENTIALS to point at your actual .json. As always, limit the credentials you provide to least privilege and keep backups of any credentials you change.

Like a lobster shell, security has layers — review code before you run it.

latestvk970xyqb3w9gx5qsq3se21ty5s83cknf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📹 Clawdis
EnvGOG_KEYRING_PASSWORD, GOG_ACCOUNT

Comments