ClawHub

Zoom Unofficial Community Skill

v0.0.5

Zoom API integration for meetings, calendar, chat, and user management. Use when the user asks to schedule meetings, check Zoom calendar, list recordings, send Zoom chat messages, manage contacts, or interact with any Zoom Workplace feature. Supports Server-to-Server OAuth and OAuth apps.

1· 2.2k·0 current·0 all-time
byTan Chun Siong@tanchunsiong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a Zoom API CLI and only asks for Zoom-related credentials (Account ID, Client ID, Client Secret, optional user email and RTMS client ID). The declared python3 binary and the included script align with the described functionality (meetings, recordings, chat, RTMS). There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md and the CLI script instruct the agent to load a .env file, install requests/PyJWT, and call Zoom REST endpoints. The script reads .env from the workspace root and performs API calls only to Zoom endpoints; it does not instruct reading unrelated system files or sending data to unknown external endpoints. It does cache the OAuth token to /tmp/zoom_token.json (expected for token caching).
Install Mechanism
No install spec is provided (instruction-only), which is low risk. Runtime instructions recommend installing pip packages (requests, PyJWT) from PyPI — a standard dependency approach. There are no downloads from untrusted hosts or archive extraction steps in the install process.
Credentials
The skill requires Zoom Server-to-Server credentials (Account ID, Client ID, Client Secret), which are appropriate for its functionality. It also optionally uses ZOOM_USER_EMAIL and ZOOM_RTMS_CLIENT_ID for user-targeted actions and RTMS control. Note: secrets are expected to be stored in a .env file and a short-lived access token is cached to /tmp/zoom_token.json — treat these files as sensitive. Ensure you grant only minimal scopes required for the commands you intend to use.
Persistence & Privilege
always is false and the skill does not request persistent platform-wide privileges. It writes a token cache to /tmp (normal) and loads a .env file in the workspace (expected). It does not modify other skills or system-wide agent settings.
Assessment
This package appears to be an honest Zoom CLI/skill, but you should still take normal precautions: only install if you trust the source (homepage is missing), and create a dedicated Server-to-Server OAuth app for this use with the smallest set of scopes required. Keep your .env (client secret/account id) private and consider running the tool in an isolated environment. The tool will cache tokens to /tmp/zoom_token.json and can control RTMS (starting/stopping real-time streams) if you provide ZOOM_RTMS_CLIENT_ID — RTMS control can expose meeting media, so only enable that for trusted RTMS apps. If you later stop using the skill, rotate the OAuth credentials. If you want further assurance, review the remainder of scripts/zoom.py (only a truncated portion was shown) and confirm no unexpected network endpoints or file writes beyond the described behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977vdxx36bgf0gmjh9t2s2ffh80acj3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments