How to create, retrieve, list, and delete Zoom meetings using the Zoom REST API. Use this skill whenever the user mentions Zoom meetings, wants to schedule a...
Security Analysis
medium confidenceThe skill generally does what it claims (manage Zoom meetings) but the package metadata and SKILL.md/script disagree about required credentials/config, and the credential handling is not declared in the registry metadata — this mismatch and several small inconsistencies merit caution before installing.
The skill's purpose (manage Zoom meetings) matches the code and instructions: the script calls Zoom API endpoints and uses Server-to-Server OAuth. However, the registry metadata declares no required config paths or primary credential, while SKILL.md and scripts explicitly expect a credential file at ~/.openclaw/credentials/zoom.json containing account_id, client_id, and client_secret. The credentials are appropriate for the stated purpose, but their absence from the declared requirements is an incoherence.
SKILL.md instructs the agent to read credentials from a local file, obtain and refresh OAuth tokens, and call Zoom endpoints (create/get/list/delete). Those actions are within the described scope and do not reference unrelated system paths or external endpoints outside Zoom. The instructions promise never to output credentials and to return human-readable results. Minor issues: the skill instructs autonomous use whenever Zoom is mentioned, which may cause it to be invoked more often than a user expects.
There is no install spec (instruction-only), which reduces installer risk. However the skill includes a Python script that depends on requests and pytz but there is no installation step to ensure those dependencies are present. This is a packaging/operational gap (not an obvious security exploit) but could lead to runtime failures if dependencies are missing.
The skill requires sensitive Zoom credentials (account_id, client_id, client_secret) stored in a local file, but the registry metadata did not declare required config paths or primary credentials. Requesting client_secret is proportionate to the task, but the omission from declared requirements is a transparency/consistency issue that increases risk — users might not realise they need to provide sensitive secrets to enable it.
The skill does not request always:true and does not modify other skills or system-wide settings. It only reads a credential file and performs network calls; it does not write persistent state (other than reading credentials) from what is visible in the package.
Guidance
This skill appears to implement Zoom API calls correctly, but it expects a credential file (~/.openclaw/credentials/zoom.json) containing account_id, client_id, and client_secret even though the registry metadata does not declare this requirement. Before installing or enabling: - Verify you trust the skill owner and source (homepage is missing). - Understand that you must store Zoom Server-to-Server credentials (including client_secret) locally for it to work — only provide these if you trust the skill. - Inspect the full scripts yourself (or ask for the full file content) to confirm there are no hidden network endpoints or telemetry; the visible code calls only Zoom endpoints. - Ensure your runtime will have the Python dependencies (requests, pytz) installed, or the skill may fail. - Consider limiting the agent's autonomous invocation permissions or requiring explicit user consent before performing actions that use your Zoom credentials (create/delete meetings). If the owner/registry can be updated so the required config path and credential requirements are declared explicitly, that would resolve the main concern.
Latest Release
v1.1.5
Version 1.1.5 of the zoom-meeting skill: - Replaced shell script-based meeting management with a new Python-based API script (`scripts/zoom_api.py`), enabling more robust meeting creation, retrieval, listing, and deletion. - Expanded functional scope: supports creating, retrieving, listing, and deleting meetings using the Zoom REST API. - Improved user interaction: accepts both natural language requests and structured JSON; always provides human-readable responses (no JSON output). - Clarified and simplified credential handling; all authentication is handled automatically within the skill. - Added dedicated API reference documentation (`references/zoom_api_reference.md`) and removed obsolete shell scripts and settings files.
More by @Neuyazvimyi
Published by @Neuyazvimyi on ClawHub
