Open Utter (Meeting Bot)
WarnAudited by ClawScan on May 10, 2026.
Overview
Open Utter appears aligned with its meeting-bot purpose, but review it carefully because it stores a reusable Google login session and contains an unsafe shell-command path for chat updates.
Install only if you are comfortable with a headless bot joining meetings, storing transcripts/screenshots, and optionally saving a Google login session. Prefer guest mode or a dedicated Google account, set a duration for meetings, delete stored auth/transcripts when finished, and ask the maintainer to fix the `execSync` shell interpolation before using it in untrusted chat contexts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a channel, target, or related value can be manipulated to include shell metacharacters, the bot could run unintended local commands under the user's account when sending chat updates.
`execSync` invokes a shell, and `channel`, `target`, `message`, and `mediaPath` are inserted into the command string rather than passed as safe argv values. `JSON.stringify` is not shell escaping.
execSync(`openclaw message send --channel ${opts.channel} --target ${JSON.stringify(opts.target)} --message ${JSON.stringify(opts.message)} --media ${JSON.stringify(opts.mediaPath)}`, ...)Replace shell-string `execSync` with `execFileSync`/`spawn` using an argument array or a direct OpenClaw API, and strictly validate channel and target values.
Signing in can leave a reusable Google session on disk; any process or future agent run with access to that file may be able to act as the signed-in account for Google web sessions.
Authenticated mode relies on a persistent Google browser session rather than a narrow scoped credential. The registry metadata declares no primary credential, so this broad session authority is under-declared.
`--auth` — join using saved Google account (~/.openutter/auth.json) ... `~/.openutter/auth.json` — saved Google session (cookies + localStorage, from utter-auth.ts)
Prefer guest mode or a dedicated low-privilege Google account, document this as a credential requirement, store the file with restrictive permissions, and provide clear logout/cleanup instructions for `~/.openutter/auth.json` and the browser profile.
Private meeting content can remain on disk and be reintroduced into later agent context; meeting participants' words should be treated as untrusted data, not instructions.
The skill intentionally persists meeting speech as local transcript files that the agent later reads and summarizes.
Captions are ... flushed to a transcript file every 5 seconds. **Transcript location:** `~/.openclaw/workspace/openutter/transcripts/<meeting-id>-<YYYY-MM-DD>.txt`
Use the bot only where recording/transcription is appropriate, keep the workspace private, delete transcripts when no longer needed, and instruct the agent to summarize transcripts without following any instructions contained in them.
If not given a duration or stopped, the bot may keep running until the meeting ends or the process is terminated.
The background behavior is disclosed and purpose-aligned, but it means the bot can continue attending and capturing captions after launch.
**IMPORTANT: Always run these commands with `background:true`** — the bot is a long-running process that stays in the meeting.
Use `--duration` when possible, confirm the bot leaves when expected, and provide or use a clear stop/cleanup workflow.
Runtime setup may resolve tooling or browser binaries from the local environment or network, which can vary between systems.
The documented workflow depends on `npx` tooling and a browser install step without a pinned package manifest or install spec in the supplied artifacts.
`npx tsx skills/openutter/scripts/utter-join.ts ...` and `npx playwright-core install chromium`
Pin Node dependencies and browser versions in an install spec or lockfile, and install them from trusted sources before running the skill.