Back to skill

Security audit

Zoom Unofficial Community Skill

Security checks across malware telemetry and agentic risk

Overview

This is a real Zoom automation skill, but it needs Review because it can delete Zoom data, send messages, export sensitive meeting content, and stores high-privilege tokens/secrets with weak safeguards.

Install only if you are comfortable giving this skill a dedicated Zoom OAuth app with the minimum scopes needed. Protect the .env file, never commit it, consider changing the token cache to a private 0600-permission location, and require explicit confirmation before deleting meetings or recordings, sending messages, starting/stopping RTMS, or downloading meeting content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (16)

Tainted flow: 'fpath' from os.environ.get (line 391, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
fname = f"{topic}_ai_summary.md"
    fpath = os.path.join(out_dir, fname)
    with open(fpath, "w") as f:
        f.write("\n".join(lines))
    print(f"✅ AI summary saved to {fpath}")
Confidence
76% confidence
Finding
with open(fpath, "w") as f:

Tainted flow: 'fpath' from os.environ.get (line 391, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
print(f"Downloading {rec_type} → {fpath} ...")
        resp = requests.get(f"{url}?access_token={token}", stream=True, timeout=60)
        resp.raise_for_status()
        with open(fpath, "wb") as out:
            for chunk in resp.iter_content(chunk_size=8192):
                out.write(chunk)
        size_mb = os.path.getsize(fpath) / (1024 * 1024)
Confidence
79% confidence
Finding
with open(fpath, "wb") as out:

Tainted flow: 'fpath' from os.environ.get (line 391, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
print(f"Downloading {rec_type} → {fpath} ...")
        resp = requests.get(f"{url}?access_token={token}", stream=True, timeout=60)
        resp.raise_for_status()
        with open(fpath, "wb") as out:
            for chunk in resp.iter_content(chunk_size=8192):
                out.write(chunk)
        size_kb = os.path.getsize(fpath) / 1024
Confidence
79% confidence
Finding
with open(fpath, "wb") as out:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents use of environment variables, network access to the Zoom API, and local file writes for downloads, but it does not declare permissions or constraints for those capabilities. This creates a transparency and governance gap: an agent may invoke a powerful integration with access to credentials, external communications, and filesystem output without explicit user-facing permission boundaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises destructive and privacy-sensitive capabilities such as deleting recordings, downloading transcripts and AI summaries, sending chat messages, and starting/stopping RTMS streams, but it does not prominently warn about consent, authorization boundaries, data sensitivity, or the risk of acting on the wrong account or meeting. In an agent skill context, this increases the chance that an automated system may invoke high-impact actions without adequate user confirmation or policy checks, especially because the skill is positioned for broad use across meetings, chat, and recordings.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description is broadly scoped to many ordinary Zoom-related requests, increasing the chance the skill is auto-selected in situations where the user did not intend a high-privilege Zoom integration to run. In context, this is more dangerous because the skill supports administrative, destructive, and data-export actions via OAuth-backed API access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises deletion of meetings and recordings without any confirmation, warning, or safety interlock. In a collaboration platform, accidental or prompt-induced destructive actions can cause irreversible business disruption or loss of records, especially when the integration may operate with admin scopes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documented download commands write recordings, transcripts, and AI summaries to local storage without warning that these files may contain sensitive meeting content or regulated data. This increases risk of unintended data exfiltration, insecure local persistence, and privacy violations, especially because recordings and transcripts often contain confidential business discussions and personal information.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill includes commands to send channel and direct messages without making clear that content will be transmitted to other users. This can lead to accidental externalization of sensitive or mistaken content if an agent acts without an explicit send-confirm step, though the impact is generally narrower than deletion or recording export.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place long-lived Zoom credentials in a workspace `.env` file without any warning about secure storage, access controls, or avoiding commits to source control. In an agent/workspace context, this increases the chance that other tools, logs, backups, or collaborators can read the secrets and use them to obtain privileged admin-scoped Zoom access tokens.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs meeting deletion immediately with no confirmation, dry-run mode, or safety interlock. In an agent setting, ambiguous prompts, prompt injection, or operator error could trigger irreversible destructive actions against real Zoom resources.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Recording deletion is irreversible and currently lacks any explicit confirmation or secondary authorization step. Because recordings often contain sensitive business or personal data, accidental or manipulated deletion can cause operational loss and destroy evidence or audit-relevant material.

Credential Access

High
Category
Privilege Escalation
Content
Click **Activate** on the **Activation** tab.

### Step 5: Configure .env

Add to your workspace `.env`:
Confidence
95% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
## Token Caching

The script caches the access token and auto-refreshes when expired (tokens last 1 hour).
Cache file: `/tmp/zoom_token.json`
Confidence
90% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
BASE_URL = "https://api.zoom.us/v2"
TOKEN_URL = "https://zoom.us/oauth/token"
TOKEN_CACHE = "/tmp/zoom_token.json"
ENV_FILE = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..", ".env")


def _user_id():
Confidence
88% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
def _load_env():
    """Load .env file from workspace root."""
    env_path = os.path.normpath(ENV_FILE)
    if os.path.exists(env_path):
        with open(env_path) as f:
Confidence
90% confidence
Finding
.env

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.