Safety Report

Gong

Name: Gong
Author: jdrhyne

Gong API for searching calls, transcripts, and conversation intelligence. Use when working with Gong call recordings, sales conversations, transcripts, meeting data, or conversation analytics. Supports listing calls, fetching transcripts, user management, and activity stats.

1,760Downloads

2Installs

0Stars

2Versions

API Integration4,971 Search & Retrieval2,116 CLI & Shell Tools1,805 Customer Support1,744

Security Analysis

medium confidence

Clean0.08 risk

The skill is consistent with a simple Gong API helper: it reads a local Gong credentials JSON and issues curl requests to the configured Gong base_url; nothing obvious or disproportional is present, but there are a few minor bookkeeping gaps to verify before use.

Feb 13, 20263 files2 concerns

Purpose & Capabilityok

Name/description match the behavior: the SKILL.md and script only call Gong endpoints using credentials from ~/.config/gong/credentials.json. Requested access (the credentials file) is appropriate for the stated purpose.

Instruction Scopenote

Instructions and the provided shell script limit actions to reading the specified credentials file and calling the user-provided Gong base_url endpoints. They do not attempt to read other system files or call external endpoints beyond the configured base_url. Note: the SKILL.md/script reference the optional GONG_CREDS env var but that environment variable is not declared in the registry metadata.

Install Mechanismok

No install spec and the skill is instruction-only plus a small helper script — nothing is downloaded or installed automatically, which minimizes install-time risk.

Credentialsnote

The skill requires a credentials JSON (base_url, access_key, secret_key) which is proportional for calling the Gong API. Minor inconsistency: no required env vars or binaries are declared in the registry metadata, yet the script uses environment variable GONG_CREDS and depends on external tools (curl, jq, base64, date).

Persistence & Privilegeok

The skill does not request always:true or any elevated persistence. It does not modify other skills or system-wide settings; it only reads its own credentials file.

Guidance

This skill appears to do what it claims: read a local Gong credentials JSON and call Gong API endpoints. Things to check before installing: 1) Ensure you only place a Gong API key with minimal (read-only) scope in ~/.config/gong/credentials.json and keep that file access-limited. 2) Confirm the skill will call only your configured base_url (the script uses whatever base_url is in the credentials file). 3) The helper script depends on curl, jq, base64 and standard date — make sure those are available; the registry metadata does not list these dependencies. 4) Because the skill will send transcripts and call metadata to Gong, review your Gong API key permissions and rotate keys if needed. 5) Source/homepage is absent; if you require provenance, ask the publisher for upstream source or a repository before trusting it in sensitive environments.

Latest Release

v1.1.0

Fix: add metadata.openclaw with credentials config requirement

More by @jdrhyne

JIRA

11 stars

Munger Observer

2 stars

Nutrient Openclaw

2 stars

Context Recovery

2 stars

Nudocs

0 stars

Nutrient Document Processing (Universal Agent Skill)

0 stars

Published by @jdrhyne on ClawHub