← Back to Skills Marketplace
dmitriyg228

Skill Vexa

by DmitriyG228 · GitHub ↗ · v0.1.1
cross-platform ⚠ suspicious
358
Downloads
0
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install skill-vexa
Description
Send bots to Zoom, Google Meet, and Microsoft Teams meetings. Get live transcripts, recordings, and reports. Self-hosted or cloud — no external API needed.
Usage Guidance
This skill is not internally consistent and has risky secret-handling practices. Key points before installing or using it: - Do not paste any API keys into chat. The onboarding instructions explicitly tell the assistant to write pasted keys to disk automatically; instead, create the secret file yourself (skills/vexa/secrets/vexa.env) with the VEXA_API_KEY and set file mode 600, or set VEXA_API_KEY in your environment. - Treat the bundled secrets files as compromised: the package already contains API keys. If you or your org used those keys, rotate/revoke them immediately and do not trust them. - The skill will read and may modify workspace/system files (openclaw.json, ~/.openclaw/*). Only allow that if you understand and consent to the exact changes (hooks.mappings, transformsDir). Prefer to make those configuration changes yourself rather than granting the assistant write permission. - If you want to test, run the scripts locally in an isolated environment (container or disposable VM) and review the code paths that write files (onboard.mjs, vexa.mjs, ingest.mjs, audit.mjs, vexa-transform.mjs). Confirm network endpoints (VEXA_BASE_URL) and ensure keys are stored securely. - If you don't trust the skill source (homepage unknown, owner unknown), avoid installing it in production. Ask the publisher to remove embedded secrets and to document why the package contains keys and the 'no external API needed' claim. Additional steps that would increase confidence: a) remove bundled credentials from the package, b) update registry metadata to declare VEXA_API_KEY as a required secret, c) change onboarding to ask the user to create the secret file themselves (or supply a secure upload), and d) provide a clear, auditable mechanism for any workspace config changes requiring explicit user approval.
Capability Analysis
Type: OpenClaw Skill Name: skill-vexa Version: 0.1.1 The skill bundle contains multiple hardcoded API keys within the 'secrets/' directory (vexa.env, vexa-prod.env, vexa-local.env), representing a significant credential leak. Additionally, the instructions in SKILL.md and references/onboarding-flow.md explicitly direct the AI agent to ask users to paste sensitive API keys directly into the chat interface, which is a high-risk pattern for secret exposure. While the functional logic for meeting bot management appears legitimate, the poor handling of secrets and the inclusion of active credentials in the distribution are major security flaws.
Capability Assessment
Purpose & Capability
The skill description claims "no external API needed", but all runtime scripts call a remote Vexa service (https://api.cloud.vexa.ai) and require VEXA_API_KEY. Registry metadata lists no required env vars, but the SKILL.md and scripts require VEXA_API_KEY and support endpoint switching. The bundled secrets files include multiple API keys. The need to read/write OpenClaw hooks (openclaw.json) and session files is plausible for webhook integration, but the external API dependency and embedded keys are inconsistent with the advertised purpose.
Instruction Scope
SKILL.md and references/onboarding-flow.md instruct the assistant to ask the user for an API key and immediately write it to skills/vexa/secrets/vexa.env (mode 600) without additional confirmation, to proactively set up webhooks (including editing openclaw.json), and to read local session/config files. Scripts read files in the user's home (~/.openclaw/*) and may enumerate sessions/configs. These instructions extend beyond simple 'help start a bot' behaviour and grant broad file access and the ability to modify workspace config; asking users to paste secrets directly into chat is especially problematic.
Install Mechanism
No separate install spec (instruction-only), but the skill ships with Node scripts that will be run. There are no external downloads, which reduces supply-chain risk, but the package itself contains embedded secret files (secrets/*.env and secrets/*.json) that include API keys. Bundling live credentials inside the skill package is a security/operational concern.
Credentials
Registry metadata lists no required env vars/credentials, yet runtime requires VEXA_API_KEY and optionally VEXA_BASE_URL; the skill also ships with multiple pre-populated secrets files containing API keys. Requiring a single API key for the Vexa service would be reasonable, but embedding keys in the package and instructing automatic persistence of pasted keys is disproportionate and risky. Scripts also read home-dir config and session files (openclaw.json, sessions.json), which increases scope.
Persistence & Privilege
The skill writes state and secret files into skills/vexa/secrets/ (persistKey), and onboarding instructions tell the assistant to create/write those files on behalf of the user. The skill also expects to add hook mappings to openclaw.json (workspace/system config) to enable automatic webhooks. While the skill is not force-included (always:false), the pattern of automatically persisting API keys and altering workspace hook configuration increases its privilege and persistence.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install skill-vexa
  3. After installation, invoke the skill by name or use /skill-vexa
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
v0.1.1: Added Zoom support, recordings (list/get/delete/download/config), meeting bundle command, simplified description, environment switching
v0.1.0
v0.1.0: Added Zoom support, recordings (list/get/delete/download/config), meeting bundle command, rewritten skill description
Metadata
Slug skill-vexa
Version 0.1.1
License
All-time Installs 1
Active Installs 1
Total Versions 2
Frequently Asked Questions

What is Skill Vexa?

Send bots to Zoom, Google Meet, and Microsoft Teams meetings. Get live transcripts, recordings, and reports. Self-hosted or cloud — no external API needed. It is an AI Agent Skill for Claude Code / OpenClaw, with 358 downloads so far.

How do I install Skill Vexa?

Run "/install skill-vexa" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Vexa free?

Yes, Skill Vexa is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Vexa support?

Skill Vexa is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skill Vexa?

It is built and maintained by DmitriyG228 (@dmitriyg228); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments