meeting-autopilot

What to consider before installing/running this skill: - Metadata mismatch: The registry metadata lists no required env vars, but the skill requires ANTHROPIC_API_KEY or OPENAI_API_KEY (and optional ANTHROPIC_API_URL/OPENAI_API_URL). Treat the metadata omission as an error — assume an API key is required. - Secrets: Only provide an LLM API key with appropriate scope and billing controls. Prefer a dedicated/limited API key for testing and rotate it after use if you are concerned. - Sensitive transcripts: Transcripts are sent to the configured LLM provider. Do not process highly confidential meetings unless your organization's data policy allows sending that content to the chosen provider. - Local history: The skill saves extracted items (not full transcripts) under ~/.meeting-autopilot/history/. Use --no-history to avoid persistent storage, or inspect/delete the directory if needed. - Review and test in a sandbox: Because the package contains executable scripts, review the scripts (you have them) and run the tool in an isolated environment or VM if you are cautious. - Confirm endpoints: The scripts only call the configured OpenAI or Anthropic endpoints and validate http(s) scheme. If you plan to use a proxy/custom URL, verify the custom URL before use. - If you need higher assurance: ask the publisher to correct the registry metadata to declare required env vars and dependencies, and to provide a signed release or a vetted package from a known source. What would change this assessment: if the registry metadata is corrected to declare the required API keys and binaries (resolving the inconsistency), and/or if independent provenance (a trusted homepage or repo with signed releases) is provided, I would raise confidence and likely mark the skill as benign. Conversely, discovery of any hidden network calls, telemetry, or attempts to access unrelated system credentials would move the verdict toward malicious.