Meeting Assistant
WarnAudited by ClawScan on May 18, 2026.
Overview
This is a coherent meeting-recording/chat bot, but it embeds credentials and handles sensitive meeting and medical data through long-running services, so it needs review before use.
Install only if you trust the publisher and are prepared to replace and rotate all embedded secrets. Pin and review the Docker images, obtain participant consent before recording or using AI analysis, avoid sensitive medical use unless privacy controls are verified, and stop/delete recordings and containers after each meeting.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill files or a local process that can reach the Vexa API may be able to control the bot, read meeting data, or send messages through it.
The Vexa API key used to control the meeting bot is embedded directly in the shipped configuration; related docs and compose files also include admin and Zoom credential literals.
"vexa_api_key": "dGosC39FSoaw0UpIV..."
Rotate the exposed tokens, remove hardcoded secrets, require per-user environment variables or a secret manager, and declare the required credentials and scopes in metadata.
A future image update or compromised upstream image could change what code runs in the meeting-recording pipeline.
The runtime depends on external Docker images, including moving latest-style tags, for services that can access meeting audio, chat, and transcription data.
image: fedirz/faster-whisper-server:latest-cpu ... image: vexaai/vexa-lite:latest ... image: python:3.11-slim
Pin Docker images to immutable digests, publish a complete install specification, and review or vendor the components that handle meeting content.
Once enabled, the bot may send incorrect, sensitive, or unwanted content into a meeting visible to other participants.
The skill intentionally posts model-generated responses back into the live meeting chat on an automatic polling loop.
聊天轮询(每 5 秒) ... 读取会议聊天 → 检测新用户消息 → Claude 生成回答 → 发回聊天
Use only with participant consent, limit triggers, and consider requiring user approval before posting in medical, legal, business, or other sensitive meetings.
Sensitive meeting information may remain on disk after the call and could be read, reused, or exposed later if not protected or deleted.
The skill persists transcripts, bot messages, analysis logs, and summaries, which can include confidential or medical meeting content.
recordings/bot_.../transcript_log.json ... suggestions_log.json ... meeting_summary.md
Define retention and cleanup behavior, encrypt sensitive recordings/transcripts, store them in a user-approved location, and avoid recording medical data without explicit consent.
Meeting content, potentially including medical or confidential information, is shared with external AI/provider workflows and with meeting participants through the bot.
Meeting screenshots/transcripts are sent into Claude analysis and then can be reflected back into meeting chat.
截图 → 获取转录增量 → Claude 视觉+文本分析 → 若有建议则发聊天 → 保存日志
Confirm all participants agree to AI processing, minimize what is sent to providers, and avoid using the assistant for highly sensitive meetings unless privacy controls are verified.
If the user forgets to stop it, the assistant or its supporting containers may continue running longer than expected.
The assistant is designed to start a detached background process and track it with a state file.
subprocess.Popen(... start_new_session=True ...); STATE_FILE = SKILL_DIR / ".assistant_state.json"
Use the provided stop/status commands, stop Docker Compose when finished, and verify no bot or recording service remains active after meetings.