Zoom Manager
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to use Zoom APIs as advertised, but it needs review because it asks for broad Zoom admin OAuth powers and can update or delete meetings without built-in safeguards.
Install only if you are comfortable granting this skill Zoom account-level OAuth access. Create a dedicated least-privilege Zoom OAuth app, remove unused user/recording scopes if possible, keep the client secret out of repositories or config files, and require explicit confirmation before the agent creates, updates, records, or deletes meetings.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the OAuth app or agent is misused, meetings across the Zoom account could be viewed, changed, or deleted, and user or recording-related information could be accessed.
The setup asks for broad admin/master Zoom OAuth scopes, including user and recording read access. Delete scope fits the delete feature, but the overall account-level scope set is broader than a tightly bounded meeting-management workflow.
meeting:read:admin / meeting:read:master ... meeting:write:admin / meeting:write:master ... meeting:delete:admin / meeting:delete:master ... Users: user:read:admin ... Recordings: recording:read:admin
Use the narrowest Zoom scopes possible, avoid admin/master and recording/user-read scopes unless strictly necessary, and document which Zoom account and user the skill may manage.
A user may not get an accurate install-time warning that this skill needs high-value Zoom OAuth credentials.
The registry-level contract says no credential is needed, but SKILL.md and zoom-cli.js require Zoom OAuth credentials including ZOOM_CLIENT_SECRET. That under-discloses sensitive account credentials in install metadata.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the Zoom client ID, client secret, account ID, and any optional user ID in metadata, and mark the Zoom OAuth credential requirement clearly before installation.
A mistaken or overly autonomous agent invocation could cancel or delete a Zoom meeting.
The CLI directly deletes the meeting ID supplied in arguments. The artifacts do not show a confirmation prompt, dry run, or extra approval step before performing the destructive Zoom API call.
const url = `https://api.zoom.us/v2/meetings/${meetingId}`; ... method: 'DELETE'Require explicit user confirmation for create, update, and especially delete actions; show the meeting details first and provide a dry-run or preview mode.
Users have less external context for who maintains the skill or where updates originate.
The included code is visible, but the package has limited provenance information. This is not evidence of malicious behavior, but it reduces trust and reviewability.
Source: unknown; Homepage: none
Verify the included scripts before use, prefer a skill with a clear source repository, and add provenance plus dependency/install metadata.