Skillv1.0.2

ClawScan security

MeetingPrep Auto-Generate Meeting Briefs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 2:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent: it formats meeting briefs from calendar events and supplied context and does not request extra credentials or install anything.
Guidance: This skill appears to be what it says: a small formatter that turns an event + context into a meeting brief. Before installing, confirm how your agent/platform supplies calendar, email, and file context—the skill relies on the agent's existing permissions to read those sources. If you don't want emails or documents included, restrict the agent's permissions accordingly. The included JS contains no network calls or secret access, but if your agent automatically fetches or transmits data, review the platform's data-flow permissions. If you need certainty about data handling, test with non-sensitive events first or contact the author using the provided email.

Purpose & Capability: noteName/description claim to pull calendar events and surface related context; the packaged JS implements brief generation and formatting from an event+context object (no networking or credential access). The SKILL.md expects the agent/platform to supply calendar and file access; this is coherent, but the code itself does not implement automatic retrieval of emails/docs—it relies on the platform/agent to provide context.
Instruction Scope: noteRuntime instructions say the skill 'uses your platform's built-in calendar and file access tools' (no separate OAuth). That is consistent with no required env vars. Be aware: the agent/platform will need permission to read calendar/events, and SKILL.md implies it may surface notes/emails/docs — the skill expects that context to be provided by the agent rather than fetching it directly itself.
Install Mechanism: okNo install spec (instruction-only skill) and included JS is a small local module. Nothing is downloaded or written to disk by an installer, so installation risk is low.
Credentials: okThe skill declares no environment variables, credentials, or config paths. The functionality described (using platform-provided calendar/file access) explains why no separate credentials are requested.
Persistence & Privilege: okalways is false, the skill is user-invocable and allows normal autonomous invocation. It does not request persistent elevated privileges or modify other skills or system config.