← 返回 Skills 市场
Fathom
作者
lauren-hayes-ai
· GitHub ↗
· v1.0.0
666
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install fathom-meetings
功能描述
Access Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API. Use when the user asks about meeting notes, call summaries,...
使用说明 (SKILL.md)
Fathom
Pull meeting recordings, transcripts, summaries, and action items from Fathom AI Notetaker.
Setup
Store the API key in ~/.openclaw/secrets/fathom.env:
FATHOM_API_KEY=your-api-key-here
FATHOM_WEBHOOK_SECRET=your-webhook-secret-here
Get API key from Fathom: Settings → Integrations → API → Generate Key.
API Reference
Base URL: https://api.fathom.ai/external/v1
Auth header: X-Api-Key: \x3CFATHOM_API_KEY>
List Meetings
curl "https://api.fathom.ai/external/v1/meetings?limit=20" \
-H "X-Api-Key: $FATHOM_API_KEY"
Key query params:
limit(1-100, default 10)created_after/created_before(ISO 8601)recorded_by[](email filter)include_transcript=true(include full transcript)include_action_items=true(include action items)include_summary=true(include AI summary)
Response shape:
{
"items": [{
"title": "Meeting Name",
"meeting_title": "Calendar Event Name",
"url": "https://fathom.video/calls/123",
"share_url": "https://fathom.video/share/abc",
"created_at": "2026-02-17T20:00:00Z",
"scheduled_start_time": "...",
"scheduled_end_time": "...",
"recording_start_time": "...",
"recording_end_time": "...",
"recording_id": 123,
"transcript": "...",
"default_summary": "...",
"action_items": ["..."],
"calendar_invitees": [{"name": "...", "email": "...", "is_external": true}],
"recorded_by": {"name": "...", "email": "..."}
}],
"next_cursor": "..."
}
Pagination
Use next_cursor from response as cursor param in next request.
Matching Fathom to Calendar
Match by time overlap (recording_start_time within event window ± 15 min) or by title similarity. The calendar_invitees field shows who was invited; is_external flags non-org attendees.
Common Workflows
Pull action items from recent calls
source ~/.openclaw/secrets/fathom.env
curl -s "https://api.fathom.ai/external/v1/meetings?include_action_items=true&limit=20" \
-H "X-Api-Key: $FATHOM_API_KEY"
Get full transcript for a specific date range
curl -s "https://api.fathom.ai/external/v1/meetings?include_transcript=true&created_after=2026-02-17T00:00:00Z&created_before=2026-02-18T00:00:00Z" \
-H "X-Api-Key: $FATHOM_API_KEY"
Filter to external meetings only
After fetching, filter meetings where at least one calendar_invitees entry has is_external: true, or check the calendar_invitees_domains_type field for "one_or_more_external".
Sync script (calendar + Fathom → database)
See scripts/sync-fathom.js for a complete local sync script that:
- Refreshes Google OAuth token
- Pulls Google Calendar events for a date range
- Pulls Fathom meetings with action items
- Matches Fathom recordings to calendar events
- Upserts everything to Supabase (or any database)
Adapt the database layer to your needs.
Webhooks
Fathom can POST to your endpoint when recordings complete. Verify with FATHOM_WEBHOOK_SECRET. Use this for real-time sync instead of polling.
Tips
- Action items from Fathom are AI-generated — review for accuracy
recorded_byshows who ran the Fathom bot, not necessarily the meeting organizer- Duplicate recordings happen when multiple team members run Fathom on the same call — deduplicate by matching
scheduled_start_time+ similar titles - The API returns meetings from all team members if using a team API key
安全使用建议
Do not install or run this skill without addressing the issues below. The included sync script will read local secret files (Fathom API key and Google OAuth client/refresh token) and will upload meeting metadata and action items to a hard-coded Supabase URL using an embedded service key. That means your meeting transcripts, attendee emails, and action items could be sent to a third-party database you do not control. If you need this functionality: (1) Ask the author to declare required secrets and config paths in the registry metadata; (2) Remove any hard-coded remote keys/URLs and replace them with configurable endpoints so you can use your own database/service; (3) Only provide Google OAuth tokens with minimal scopes and review the code to ensure it only requests needed calendar data; (4) Run the sync script in an isolated environment or inspect & modify it to avoid sending transcripts off‑site; (5) If you do not trust the author or cannot run the script locally under your control, do not grant it access to your secrets or run it. Because the registry claims no required credentials while the code clearly needs sensitive tokens and pushes data externally, treat this skill as suspicious and verify/correct these issues before use.
功能分析
Type: OpenClaw Skill
Name: fathom-meetings
Version: 1.0.0
The skill is classified as suspicious due to a critical security vulnerability in `scripts/sync-fathom.js`. A Supabase `service_role` API key (`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InV5cHF6d2F6ZXhnd2VhemRhdXZqIiwicm9sZSI6InNlcnZpY2Vfcm9sZSIsImlhdCI6MTc3MTM4ODQ5MiwiZXhwIjoyMDg2OTY0NDkyfQ.OSPNdNnDpekNRCqB-t1Efe8IkX0U881gsUqnqWs8hk`) is hardcoded directly into the script. This `service_role` key typically bypasses Row Level Security and grants full read/write access to the Supabase database (`https://uypqzwazexgweazdauvj.supabase.co`). While the script's stated purpose is to sync data, hardcoding such a powerful key in a client-side script is a severe misconfiguration that makes the entire Supabase database vulnerable to compromise if the key is exposed or the script is exploited.
能力评估
Purpose & Capability
The skill claims to access Fathom recordings and optionally sync with calendars/databases. SKILL.md and scripts indeed use a FATHOM_API_KEY and describe calendar sync. However the registry declares no required env vars/config paths, yet the included script reads multiple local secret files (fathom.env, google-oauth.json, google-tokens-daniel.json) and contains a hard-coded Supabase URL and service key. Those additional requirements (Google creds + database push) are not declared and go beyond the minimal 'read Fathom' purpose.
Instruction Scope
SKILL.md instructs fetching meetings and mentions a sync script that refreshes Google OAuth tokens, reads calendar events, matches recordings, and upserts transcripts/action items to a database. The script will read secrets from ~/.openclaw/secrets and send meeting metadata (attendees, transcripts, action items, share URLs) to an external Supabase instance — i.e., it collects and transmits potentially sensitive meeting content to a third-party endpoint not described in the top-level metadata.
Install Mechanism
There is no install spec (instruction-only), which is lower risk for arbitrary downloads. However a local script is included that will run locally if the agent invokes it; that script contains embedded network endpoints and credentials (no external download but local execution could cause exfiltration).
Credentials
Registry lists no required environment variables, but SKILL.md expects FATHOM_API_KEY and FATHOM_WEBHOOK_SECRET in ~/.openclaw/secrets/fathom.env. The script also requires google-oauth.json and google-tokens-daniel.json (Google client creds and refresh token) and uses a hard-coded SUPABASE_KEY. Requesting or reading Google tokens and writing meeting transcripts to a third-party DB is a disproportionate level of access relative to the basic 'read Fathom meetings' description and is not declared.
Persistence & Privilege
The skill is not 'always' enabled, but the included script reads sensitive files from the user's home (~/.openclaw/secrets) and will persist user meeting data to a remote Supabase instance using a hard-coded key. That remote persistence of potentially sensitive transcripts and attendee data is a significant privilege/persistence concern even though the skill itself does not request platform-wide always-on access.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install fathom-meetings - 安装完成后,直接呼叫该 Skill 的名称或使用
/fathom-meetings触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the Fathom meetings skill with API integration.
- Allows access to Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API.
- Includes setup steps for API key and webhook secret configuration.
- Provides bash examples for listing meetings, retrieving action items, and filtering meetings.
- Documents pagination, matching Fathom records with calendar events, and meeting invitee details.
- Describes usage of webhooks for real-time updates and tips for data handling and accuracy.
元数据
常见问题
Fathom 是什么?
Access Fathom AI meeting recordings, transcripts, summaries, and action items via the Fathom API. Use when the user asks about meeting notes, call summaries,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 666 次。
如何安装 Fathom?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install fathom-meetings」即可一键安装,无需额外配置。
Fathom 是免费的吗?
是的,Fathom 完全免费(开源免费),可自由下载、安装和使用。
Fathom 支持哪些平台?
Fathom 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Fathom?
由 lauren-hayes-ai(@lauren-hayes-ai)开发并维护,当前版本 v1.0.0。
推荐 Skills