移动会议API
Security checks across malware telemetry and agentic risk
Overview
This skill mostly matches a meeting-API helper, but it handles real meeting credentials and its browser signing tool loads third-party code despite claiming to have no dependencies.
Review before installing. Use only test or least-privileged Mobile Meeting credentials, do not enter production App Keys into app_auth.html unless the remote CDN dependency is removed or pinned, and confirm carefully before running scripts that create, cancel, or force-end meetings.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the CDN script changes or is compromised, a user's App Key could be exposed while using the signing helper.
The browser signature tool asks users for an App Key while executing an unpinned third-party CDN script, so remote code has access to sensitive credential material.
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js"></script> ... <input type="text" id="appKey" placeholder="请输入App Key">
Bundle a reviewed local CryptoJS copy, add SRI/pinning, or use a local audited script for HMAC signing; warn users not to enter production keys into pages that load remote scripts.
Users may trust the tool as fully offline and dependency-free and enter production credentials without realizing third-party code is loaded.
The documentation tells users the signing tool has no dependency, but the provided HTML loads CryptoJS from a remote CDN while handling App Key input.
app_auth.html:浏览器端交互式 HMAC-SHA256 签名生成器,**无需任何服务器或依赖**,直接用浏览器打开即可使用。输入 App ID、App Key、User ID
Correct the documentation to disclose the CDN dependency, or remove the dependency so the tool is truly offline.
Tokens printed in a terminal or logs could be seen by others and used to access or manage meetings.
The script directly handles App Key input and prints access/refresh tokens. This is expected for an authentication helper, but the tokens are sensitive.
APP_KEY = input("请输入APP_KEY: ").strip() ... print(f"Access Token: {data.get('accessToken')}") ... print(f"Refresh Token: {data.get('refreshToken')}")Use least-privileged test credentials, avoid shared terminals/log capture, and rotate tokens if they are exposed.
Running the script with the wrong meeting ID or token could cancel or end an active meeting.
The helper can cancel or force-end meetings using the supplied access token. It is user-directed and aligned with the skill purpose, but it is a high-impact account action.
response = requests.delete(url, headers=headers, params=params) ... force_end = input("是否强制结束正在召开的会议? (y/n, 默认n): ").strip().lower() == 'y'Confirm meeting IDs and permissions before running mutation scripts, and prefer test environments for initial integration.
If any token is real, it could be reused; even if it is only a sample, users or agents might copy insecure examples.
The reference documentation contains concrete token-looking values in cURL examples. They may be sample or expired values, but real-looking secrets should not be shipped in documentation.
curl -k -i -H 'content-type: application/json' -X POST -H 'X-Access-Token:stbX5ElstO5QwOwPB9KGQWUZ1DHoFrTsQjjC'
Replace example tokens with placeholders such as <ACCESS_TOKEN>, and avoid teaching insecure cURL patterns like -k unless explicitly justified.