meeting-autopilot

Turn meeting transcripts into operational outputs — action items, decisions, follow-up email drafts, and ticket drafts. Not a summarizer. An operator. Accept...

What to consider before installing/running this skill: - Metadata mismatch: The registry metadata lists no required env vars, but the skill requires ANTHROPIC_API_KEY or OPENAI_API_KEY (and optional ANTHROPIC_API_URL/OPENAI_API_URL). Treat the metadata omission as an error — assume an API key is required. - Secrets: Only provide an LLM API key with appropriate scope and billing controls. Prefer a dedicated/limited API key for testing and rotate it after use if you are concerned. - Sensitive transcripts: Transcripts are sent to the configured LLM provider. Do not process highly confidential meetings unless your organization's data policy allows sending that content to the chosen provider. - Local history: The skill saves extracted items (not full transcripts) under ~/.meeting-autopilot/history/. Use --no-history to avoid persistent storage, or inspect/delete the directory if needed. - Review and test in a sandbox: Because the package contains executable scripts, review the scripts (you have them) and run the tool in an isolated environment or VM if you are cautious. - Confirm endpoints: The scripts only call the configured OpenAI or Anthropic endpoints and validate http(s) scheme. If you plan to use a proxy/custom URL, verify the custom URL before use. - If you need higher assurance: ask the publisher to correct the registry metadata to declare required env vars and dependencies, and to provide a signed release or a vetted package from a known source. What would change this assessment: if the registry metadata is corrected to declare the required API keys and binaries (resolving the inconsistency), and/or if independent provenance (a trusted homepage or repo with signed releases) is provided, I would raise confidence and likely mark the skill as benign. Conversely, discovery of any hidden network calls, telemetry, or attempts to access unrelated system credentials would move the verdict toward malicious.

Type: OpenClaw Skill Name: meeting-autopilot Version: 0.1.2 The OpenClaw AgentSkills skill bundle 'meeting-autopilot' is classified as benign. The code demonstrates strong security practices, including rigorous input sanitization for file paths and meeting titles (e.g., in `scripts/meeting-autopilot.sh`), safe JSON construction using `jq --arg` for all LLM API calls and history storage (e.g., in `scripts/extract-items.sh`, `scripts/generate-outputs.sh`), and piping user-provided transcript content to isolated Python parsers via stdin (e.g., in `scripts/parse-transcript.sh`) to prevent shell injection. Permissions requested (`exec`, `read`, `write`, `network`) are justified by the skill's stated purpose. The `SKILL.md` and `README.md` contain no prompt injection attempts against the agent, and the `SECURITY.md` file provides transparent and comprehensive documentation of the skill's data handling and security model, including the inherent risk of sending transcripts to third-party LLMs.