Skillv1.0.0

ClawScan security

Meeting Minutes AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 13, 2026, 1:05 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (extracting decisions and action items from meeting transcripts), request no credentials or unusual permissions, and contain no obvious exfiltration or install hazards.
Guidance: This skill appears to do exactly what it says: parse a transcript file and produce meeting minutes. Before installing or running it, consider: (1) transcripts may contain sensitive personal or financial data — only run it on files you trust or in an isolated environment; (2) the script writes output to the current working directory, so check where you run it; (3) the extraction relies on regex heuristics and may miss or misattribute owners/deadlines — manually review produced minutes for correctness; (4) if you want stronger assurance, open the full scripts/extract_minutes.py file locally to confirm there are no hidden network calls (the provided portion contains none). If additional hidden files or later versions include network access or requests for credentials, re-evaluate as that would change this assessment.

Purpose & Capability: okName/description ask for meeting transcript analysis and the included script and SKILL.md only read transcripts, extract decisions/actions/topics, and format/save minutes — all consistent with the stated function. No unrelated services, credentials, or system-level access are requested.
Instruction Scope: okRuntime instructions ask the user to paste or provide a transcript path and to choose formatting; the SKILL.md and script operate on that input and save output to the current directory. The instructions do not ask the agent to read unrelated system files, network endpoints, or secrets.
Install Mechanism: okThere is no install spec and requirements.txt is empty; the Python script has no external dependencies. No downloads, package installs, or archive extraction are present.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The script only reads a user-supplied transcript file and does local processing — requested access is proportional to the purpose.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide configuration. It writes output files into the current working directory (expected behavior for a CLI tool).