Skill Trust Decision
cms-meeting-monitor
Cross-skill subprocess invocation via undeclared `subprocess.run` calls is the primary concern—neither the SKILL.md nor the tool declarations (monitor:read, notifier:write) accurately reflect the exec/shell:WRITE nature of the code.
Most direct threat evidence
High Doc Mismatch
Undeclared cross-skill subprocess execution monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script.
scripts/monitor.py:170 Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
4 undeclared or violating capabilities were inferred.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
1 dependency or supply-chain issues need attention.
What drove the risk score up
Cross-skill subprocess execution undeclared in docs +20
monitor.py:trigger_pull() and notifier.py both call subprocess.run on external scripts without documentation in SKILL.md. tool permission:read ≠ exec/category
Capability violation — declared vs inferred +8
monitor tool declares permission:read but code executes external scripts (shell:WRITE). notifier declares permission:write but also invokes subprocess.
Undeclared dependency on cms-meeting-materials skill +4
Both scripts hard-code a path to cms-meeting-materials/scripts/huiji/trigger-pull.py. If that skill is malicious or compromised, this skill inherits the risk.
Most important evidence
High Doc Mismatch
Undeclared cross-skill subprocess execution
monitor.py:trigger_pull() uses subprocess.run to invoke cms-meeting-materials/scripts/huiji/trigger-pull.py. This is a shell:WRITE capability that is not declared in SKILL.md. The tool 'monitor' declares permission:read but the code actually executes an external script.
scripts/monitor.py:170 Add subprocess or shell:WRITE to the tool's declared permission in SKILL.md. If cross-skill triggers are intentional, document the cms-meeting-materials dependency explicitly.
High Doc Mismatch
Notifier also performs undeclared subprocess execution
notifier.py:get_latest_fragments() imports subprocess and calls scripts from cms-meeting-materials. SKILL.md declares notifier permission:write, but the code performs read + exec operations.
scripts/notifier.py:48 Align notifier's declared permission with actual behavior (exec or read+exec).
Medium Priv Escalation
Tool permission declarations do not match code capabilities
monitor tool: category=exec, risk_level=medium, permission=read — but the code executes subprocess, which is exec-level. notifier tool: permission=write — but also executes subprocess.
SKILL.md:21 Update SKILL.md to reflect the actual permission levels (at minimum exec:WRITE) and list the cross-skill dependency.
Medium Supply Chain
Undeclared hard-coded dependency on cms-meeting-materials skill
Both monitor.py and notifier.py hard-code paths to cms-meeting-materials/scripts/huiji/. If that dependency is absent or compromised, the skill fails or is exploited. No version pinning or integrity check.
scripts/monitor.py:165 Document the cms-meeting-materials dependency in SKILL.md. Consider adding a manifest or checksum for the dependency script.
Low Sensitive Access
Accesses environment variables for credentials
The skill reads XG_BIZ_API_KEY from os.environ. This is declared in SKILL.md metadata and is necessary for the feature, but the code does not validate or sanitize this variable.
scripts/monitor.py:40 Document what environment variables are accessed. Add input validation for meeting_chat_id to prevent path injection through this variable.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
scripts/monitor.py:170 — subprocess.run to trigger-pull.py Shell Block
Declared NONE
→ Inferred WRITE
scripts/notifier.py:48 — subprocess to huiji scripts Filesystem Block
Declared NONE
→ Inferred WRITE
scripts/monitor.py:115 — state write to ~/.openclaw/ Skill Invoke Block
Declared NONE
→ Inferred WRITE
monitor.py:170 & notifier.py:48 — cross-skill subprocess to cms-meeting-materials Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| cms-meeting-materials | unpinned | cross-skill dependency | No | External skill dependency; scripts/huiji/trigger-pull.py is invoked via subprocess. No version pinning, no integrity check. The security posture of this skill is inherited. |
File composition
7 files · 767 lines
Python 2 files · 582 linesMarkdown 4 files · 183 linesText 1 files · 2 lines
Files of concern · 3
scripts/monitor.py Undeclared cross-skill subprocess execution · Undeclared hard-coded dependency on cms-meeting-materials skill · Accesses environment variables for credentials
scripts/notifier.py Notifier also performs undeclared subprocess execution
SKILL.md Tool permission declarations do not match code capabilities
Other files · DESIGN.md · DISCUSSION-LOG.md · LEARNING-LOOP.md · requirements.txt
Security positives
SKILL.md explicitly declares the XG_BIZ_API_KEY environment variable dependency
No hardcoded credentials or API keys found in source code
No obfuscation techniques (no base64, no eval, no atob patterns)
No direct IP network requests or C2-style communication
subprocess calls include timeout=60 and error handling
State file writes use atomic replace (tmp + replace pattern)
No access to ~/.ssh, ~/.aws, or other credential paths
No cron/scheduled task self-installation
No data exfiltration — all data stays local to ~/.openclaw