meeting-efficiency-pro Security Report — Low Risk | ClawSafe

18 /100

meeting-efficiency-pro

AI-powered meeting optimization tool that analyzes calendar events, provides efficiency scores, extracts action items, and automates follow-ups

This is a legitimate productivity tool for meeting analysis with no malicious behavior. Shell execution (npm install) is confined to the setup command, API keys are used only for stated AI provider calls, and no credential exfiltration or sensitive path access was found.

Skill Namemeeting-efficiency-pro

Duration56.1s

Enginepi

✓

Safe to install

This skill is safe to use. The only recommendation is to pin dependency versions in package.json to prevent supply chain risks from unversioned dependencies.

Findings 4 items

Severity	Finding	Location
Low	Unpinned npm dependencies All 8 dependencies in package.json use caret (^) version ranges, which permit any minor or patch update. This creates a supply chain risk where a compromised upstream package could be silently pulled. `"openai": "^4.0.0"` → Pin exact versions (e.g., "openai": "4.0.0") or use a lockfile (package-lock.json) and commit it	`package.json:30`
Info	Shell execution in setup command not documented The setup() function in index.js uses child_process.exec to run 'npm install' and version checks, but SKILL.md does not declare shell:WRITE in its capability mapping. This is a minor doc-to-code mismatch. `const { stdout } = await execPromise('node --version')` → Add shell:WRITE to SKILL.md capability declaration if this is intentional behavior	`index.js:73`
Info	External URL reference The skill references https://clawhub.com/skills/meeting-efficiency-pro in help text and index.js. No actual network request to this URL was found in the code path. `https://clawhub.com/skills/meeting-efficiency-pro` → No action needed - this is a documentation URL, not an active network call	`index.js:403`
Info	AI API key input without input sanitization documentation setup.js accepts AI API keys from interactive user input and writes them to config/default.json. The key is then used by analyzer.js for OpenAI/Grok API calls. No evidence of exfiltration was found. `config.ai_api_key = apiKey` → No action needed - key handling is standard; ensure config file permissions are restricted in production	`scripts/setup.js:46`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`WRITE`	✓ Aligned	index.js:83 writes config/default.json; SKILL.md only mentions reading config fi…
Network	`READ`	`READ`	✓ Aligned	index.js:403 references https://clawhub.com (docs only); actual AI API calls wou…
Shell	`NONE`	`WRITE`	✓ Aligned	index.js:73-88 uses exec for 'npm --version' and 'npm install' within setup() co…
Environment	`NONE`	`NONE`	—	No os.environ iteration found; config loaded from JSON file only

2 findings

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/meeting-efficiency-pro

index.js:403

📧

Info Email 邮箱地址

[email protected]

SKILL.md:169

File Tree

11 files · 86.2 KB · 2805 lines

JavaScript 6f · 2038L Markdown 3f · 678L JSON 2f · 89L

├─ ▾ 📁 config

│ └─ 📋 default.json JSON 35L · 810 B

├─ ▾ 📁 lib

│ ├─ 📜 analyzer.js JavaScript 514L · 15.9 KB

│ ├─ 📜 calendar.js JavaScript 257L · 7.2 KB

│ └─ 📜 reporter.js JavaScript 457L · 15.8 KB

├─ ▾ 📁 references

│ └─ 📝 api-docs.md Markdown 446L · 10.6 KB

├─ ▾ 📁 scripts

│ ├─ 📜 demo.js JavaScript 219L · 8.0 KB

│ └─ 📜 setup.js JavaScript 163L · 5.7 KB

├─ 📜 index.js JavaScript 428L · 14.5 KB

├─ 📋 package.json JSON 54L · 1.2 KB

├─ 📝 README.md Markdown 29L · 642 B

└─ 📝 SKILL.md Markdown 203L · 5.8 KB

Dependencies 8 items

Package	Version	Source	Known Vulns	Notes
`openai`	`^4.0.0`	npm	No	Caret range - not pinned
`googleapis`	`^128.0.0`	npm	No	Caret range - not pinned
`node-schedule`	`^2.1.0`	npm	No	Caret range - not pinned
`ical`	`^0.8.0`	npm	No	Caret range - not pinned
`dotenv`	`^16.0.0`	npm	No	Caret range - not pinned
`axios`	`^1.0.0`	npm	No	Caret range - not pinned
`chalk`	`^4.1.0`	npm	No	Caret range - not pinned
`inquirer`	`^8.0.0`	npm	No	Caret range - not pinned

Security Positives

✓ No base64, eval, or obfuscated code found anywhere in the codebase

✓ No iteration over environment variables looking for credentials

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive filesystem paths

✓ No curl|bash or wget|sh remote script execution patterns

✓ No hidden HTML comments, steganography, or covert channels

✓ No data exfiltration - credentials stay in config file and are only sent to the declared AI provider

✓ No direct IP network connections to unknown endpoints

✓ No reverse shell, C2, or persistence mechanisms

✓ Shell execution is confined to the interactive setup command and limited to npm install

✓ AI API key handling follows standard practices (config file, environment variable override documented)

Scan Report

Findings 4 items

File Tree

Dependencies 8 items

Security Positives