← Back to Skills Marketplace
lauren-hayes-ai

Fathom

by lauren-hayes-ai · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
666
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install fathom-meetings
Description
Access Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API. Use when the user asks about meeting notes, call summaries,...
README (SKILL.md)

Fathom

Pull meeting recordings, transcripts, summaries, and action items from Fathom AI Notetaker.

Setup

Store the API key in ~/.openclaw/secrets/fathom.env:

FATHOM_API_KEY=your-api-key-here
FATHOM_WEBHOOK_SECRET=your-webhook-secret-here

Get API key from Fathom: Settings → Integrations → API → Generate Key.

API Reference

Base URL: https://api.fathom.ai/external/v1 Auth header: X-Api-Key: \x3CFATHOM_API_KEY>

List Meetings

curl "https://api.fathom.ai/external/v1/meetings?limit=20" \
  -H "X-Api-Key: $FATHOM_API_KEY"

Key query params:

  • limit (1-100, default 10)
  • created_after / created_before (ISO 8601)
  • recorded_by[] (email filter)
  • include_transcript=true (include full transcript)
  • include_action_items=true (include action items)
  • include_summary=true (include AI summary)

Response shape:

{
  "items": [{
    "title": "Meeting Name",
    "meeting_title": "Calendar Event Name",
    "url": "https://fathom.video/calls/123",
    "share_url": "https://fathom.video/share/abc",
    "created_at": "2026-02-17T20:00:00Z",
    "scheduled_start_time": "...",
    "scheduled_end_time": "...",
    "recording_start_time": "...",
    "recording_end_time": "...",
    "recording_id": 123,
    "transcript": "...",
    "default_summary": "...",
    "action_items": ["..."],
    "calendar_invitees": [{"name": "...", "email": "...", "is_external": true}],
    "recorded_by": {"name": "...", "email": "..."}
  }],
  "next_cursor": "..."
}

Pagination

Use next_cursor from response as cursor param in next request.

Matching Fathom to Calendar

Match by time overlap (recording_start_time within event window ± 15 min) or by title similarity. The calendar_invitees field shows who was invited; is_external flags non-org attendees.

Common Workflows

Pull action items from recent calls

source ~/.openclaw/secrets/fathom.env
curl -s "https://api.fathom.ai/external/v1/meetings?include_action_items=true&limit=20" \
  -H "X-Api-Key: $FATHOM_API_KEY"

Get full transcript for a specific date range

curl -s "https://api.fathom.ai/external/v1/meetings?include_transcript=true&created_after=2026-02-17T00:00:00Z&created_before=2026-02-18T00:00:00Z" \
  -H "X-Api-Key: $FATHOM_API_KEY"

Filter to external meetings only

After fetching, filter meetings where at least one calendar_invitees entry has is_external: true, or check the calendar_invitees_domains_type field for "one_or_more_external".

Sync script (calendar + Fathom → database)

See scripts/sync-fathom.js for a complete local sync script that:

  1. Refreshes Google OAuth token
  2. Pulls Google Calendar events for a date range
  3. Pulls Fathom meetings with action items
  4. Matches Fathom recordings to calendar events
  5. Upserts everything to Supabase (or any database)

Adapt the database layer to your needs.

Webhooks

Fathom can POST to your endpoint when recordings complete. Verify with FATHOM_WEBHOOK_SECRET. Use this for real-time sync instead of polling.

Tips

  • Action items from Fathom are AI-generated — review for accuracy
  • recorded_by shows who ran the Fathom bot, not necessarily the meeting organizer
  • Duplicate recordings happen when multiple team members run Fathom on the same call — deduplicate by matching scheduled_start_time + similar titles
  • The API returns meetings from all team members if using a team API key
Usage Guidance
Do not install or run this skill without addressing the issues below. The included sync script will read local secret files (Fathom API key and Google OAuth client/refresh token) and will upload meeting metadata and action items to a hard-coded Supabase URL using an embedded service key. That means your meeting transcripts, attendee emails, and action items could be sent to a third-party database you do not control. If you need this functionality: (1) Ask the author to declare required secrets and config paths in the registry metadata; (2) Remove any hard-coded remote keys/URLs and replace them with configurable endpoints so you can use your own database/service; (3) Only provide Google OAuth tokens with minimal scopes and review the code to ensure it only requests needed calendar data; (4) Run the sync script in an isolated environment or inspect & modify it to avoid sending transcripts off‑site; (5) If you do not trust the author or cannot run the script locally under your control, do not grant it access to your secrets or run it. Because the registry claims no required credentials while the code clearly needs sensitive tokens and pushes data externally, treat this skill as suspicious and verify/correct these issues before use.
Capability Analysis
Type: OpenClaw Skill Name: fathom-meetings Version: 1.0.0 The skill is classified as suspicious due to a critical security vulnerability in `scripts/sync-fathom.js`. A Supabase `service_role` API key (`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InV5cHF6d2F6ZXhnd2VhemRhdXZqIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc3MTM4ODQ5MiwiZXhwIjoyMDg2OTY0NDkyfQ.OSPNdNnDpekNRCqB-t1Efe8IkX0U881gsUqnqWs8hk`) is hardcoded directly into the script. This `service_role` key typically bypasses Row Level Security and grants full read/write access to the Supabase database (`https://uypqzwazexgweazdauvj.supabase.co`). While the script's stated purpose is to sync data, hardcoding such a powerful key in a client-side script is a severe misconfiguration that makes the entire Supabase database vulnerable to compromise if the key is exposed or the script is exploited.
Capability Assessment
Purpose & Capability
The skill claims to access Fathom recordings and optionally sync with calendars/databases. SKILL.md and scripts indeed use a FATHOM_API_KEY and describe calendar sync. However the registry declares no required env vars/config paths, yet the included script reads multiple local secret files (fathom.env, google-oauth.json, google-tokens-daniel.json) and contains a hard-coded Supabase URL and service key. Those additional requirements (Google creds + database push) are not declared and go beyond the minimal 'read Fathom' purpose.
Instruction Scope
SKILL.md instructs fetching meetings and mentions a sync script that refreshes Google OAuth tokens, reads calendar events, matches recordings, and upserts transcripts/action items to a database. The script will read secrets from ~/.openclaw/secrets and send meeting metadata (attendees, transcripts, action items, share URLs) to an external Supabase instance — i.e., it collects and transmits potentially sensitive meeting content to a third-party endpoint not described in the top-level metadata.
Install Mechanism
There is no install spec (instruction-only), which is lower risk for arbitrary downloads. However a local script is included that will run locally if the agent invokes it; that script contains embedded network endpoints and credentials (no external download but local execution could cause exfiltration).
Credentials
Registry lists no required environment variables, but SKILL.md expects FATHOM_API_KEY and FATHOM_WEBHOOK_SECRET in ~/.openclaw/secrets/fathom.env. The script also requires google-oauth.json and google-tokens-daniel.json (Google client creds and refresh token) and uses a hard-coded SUPABASE_KEY. Requesting or reading Google tokens and writing meeting transcripts to a third-party DB is a disproportionate level of access relative to the basic 'read Fathom meetings' description and is not declared.
Persistence & Privilege
The skill is not 'always' enabled, but the included script reads sensitive files from the user's home (~/.openclaw/secrets) and will persist user meeting data to a remote Supabase instance using a hard-coded key. That remote persistence of potentially sensitive transcripts and attendee data is a significant privilege/persistence concern even though the skill itself does not request platform-wide always-on access.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install fathom-meetings
  3. After installation, invoke the skill by name or use /fathom-meetings
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the Fathom meetings skill with API integration. - Allows access to Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API. - Includes setup steps for API key and webhook secret configuration. - Provides bash examples for listing meetings, retrieving action items, and filtering meetings. - Documents pagination, matching Fathom records with calendar events, and meeting invitee details. - Describes usage of webhooks for real-time updates and tips for data handling and accuracy.
Metadata
Slug fathom-meetings
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Fathom?

Access Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API. Use when the user asks about meeting notes, call summaries,... It is an AI Agent Skill for Claude Code / OpenClaw, with 666 downloads so far.

How do I install Fathom?

Run "/install fathom-meetings" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Fathom free?

Yes, Fathom is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Fathom support?

Fathom is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Fathom?

It is built and maintained by lauren-hayes-ai (@lauren-hayes-ai); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments