Zoom Manager
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zoom-manager-clawd Version: 0.1.0 The skill is designed to manage Zoom meetings (create, list, update, delete) and interacts with the legitimate Zoom API. The `SKILL.md` correctly instructs the user to set Zoom API credentials as environment variables, and the primary entry point `scripts/zoom-cli.js` properly retrieves these secrets from `process.env`. While several other individual scripts (`scripts/create_meeting.js/py`, `scripts/delete_meeting.js/py`, etc.) attempt to load credentials from a non-existent `config.json` file, these scripts are not referenced in the `SKILL.md`'s command section, and the `config.json` file itself is not part of the skill bundle. This inconsistency is a minor code quality issue but does not indicate malicious intent or a direct vulnerability. The requested Zoom API scopes are broad but align with the skill's stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the OAuth app or agent is misused, meetings across the Zoom account could be viewed, changed, or deleted, and user or recording-related information could be accessed.
The setup asks for broad admin/master Zoom OAuth scopes, including user and recording read access. Delete scope fits the delete feature, but the overall account-level scope set is broader than a tightly bounded meeting-management workflow.
meeting:read:admin / meeting:read:master ... meeting:write:admin / meeting:write:master ... meeting:delete:admin / meeting:delete:master ... Users: user:read:admin ... Recordings: recording:read:admin
Use the narrowest Zoom scopes possible, avoid admin/master and recording/user-read scopes unless strictly necessary, and document which Zoom account and user the skill may manage.
A user may not get an accurate install-time warning that this skill needs high-value Zoom OAuth credentials.
The registry-level contract says no credential is needed, but SKILL.md and zoom-cli.js require Zoom OAuth credentials including ZOOM_CLIENT_SECRET. That under-discloses sensitive account credentials in install metadata.
Required env vars: none; Env var declarations: none; Primary credential: none
Declare the Zoom client ID, client secret, account ID, and any optional user ID in metadata, and mark the Zoom OAuth credential requirement clearly before installation.
A mistaken or overly autonomous agent invocation could cancel or delete a Zoom meeting.
The CLI directly deletes the meeting ID supplied in arguments. The artifacts do not show a confirmation prompt, dry run, or extra approval step before performing the destructive Zoom API call.
const url = `https://api.zoom.us/v2/meetings/${meetingId}`; ... method: 'DELETE'Require explicit user confirmation for create, update, and especially delete actions; show the meeting details first and provide a dry-run or preview mode.
Users have less external context for who maintains the skill or where updates originate.
The included code is visible, but the package has limited provenance information. This is not evidence of malicious behavior, but it reduces trust and reviewability.
Source: unknown; Homepage: none
Verify the included scripts before use, prefer a skill with a clear source repository, and add provenance plus dependency/install metadata.