ClawHub

Zoom Meetings

v1.1.5

How to create, retrieve, list, and delete Zoom meetings using the Zoom REST API. Use this skill whenever the user mentions Zoom meetings, wants to schedule a...

1· 396·2 current·2 all-time
byAlibek Beldinov@neuyazvimyi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose (manage Zoom meetings) matches the code and instructions: the script calls Zoom API endpoints and uses Server-to-Server OAuth. However, the registry metadata declares no required config paths or primary credential, while SKILL.md and scripts explicitly expect a credential file at ~/.openclaw/credentials/zoom.json containing account_id, client_id, and client_secret. The credentials are appropriate for the stated purpose, but their absence from the declared requirements is an incoherence.
Instruction Scope
SKILL.md instructs the agent to read credentials from a local file, obtain and refresh OAuth tokens, and call Zoom endpoints (create/get/list/delete). Those actions are within the described scope and do not reference unrelated system paths or external endpoints outside Zoom. The instructions promise never to output credentials and to return human-readable results. Minor issues: the skill instructs autonomous use whenever Zoom is mentioned, which may cause it to be invoked more often than a user expects.
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. However the skill includes a Python script that depends on requests and pytz but there is no installation step to ensure those dependencies are present. This is a packaging/operational gap (not an obvious security exploit) but could lead to runtime failures if dependencies are missing.
!
Credentials
The skill requires sensitive Zoom credentials (account_id, client_id, client_secret) stored in a local file, but the registry metadata did not declare required config paths or primary credentials. Requesting client_secret is proportionate to the task, but the omission from declared requirements is a transparency/consistency issue that increases risk — users might not realise they need to provide sensitive secrets to enable it.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It only reads a credential file and performs network calls; it does not write persistent state (other than reading credentials) from what is visible in the package.
What to consider before installing
This skill appears to implement Zoom API calls correctly, but it expects a credential file (~/.openclaw/credentials/zoom.json) containing account_id, client_id, and client_secret even though the registry metadata does not declare this requirement. Before installing or enabling: - Verify you trust the skill owner and source (homepage is missing). - Understand that you must store Zoom Server-to-Server credentials (including client_secret) locally for it to work — only provide these if you trust the skill. - Inspect the full scripts yourself (or ask for the full file content) to confirm there are no hidden network endpoints or telemetry; the visible code calls only Zoom endpoints. - Ensure your runtime will have the Python dependencies (requests, pytz) installed, or the skill may fail. - Consider limiting the agent's autonomous invocation permissions or requiring explicit user consent before performing actions that use your Zoom credentials (create/delete meetings). If the owner/registry can be updated so the required config path and credential requirements are declared explicitly, that would resolve the main concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eegkqw52fvm3jw4fzzrn98s82acfg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments