Trust Assessment
zoom-manager received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 0 critical, 1 high, 4 medium, and 0 low severity. Key findings include Suspicious import: requests, Inconsistent Credential Loading from `config.json`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Inconsistent Credential Loading from `config.json` Multiple skill scripts (`create_meeting.js`, `create_meeting.py`, `delete_meeting.js`, `delete_meeting.py`, `get_meeting_info.js`, `get_meeting_info.py`, `list_meetings.js`, `list_meetings.py`) are designed to load sensitive Zoom API credentials (Client ID, Client Secret, Account ID) from a `config.json` file located in the parent directory. This directly contradicts the `SKILL.md` documentation and the `scripts/zoom-cli.js` entry point, which correctly instruct and implement the use of environment variables for these secrets. If a `config.json` file containing credentials is present and these individual scripts are executed directly (e.g., outside of `zoom-cli.js`), it creates a significant credential harvesting risk, especially if the file is accidentally committed to version control or deployed to an insecure location. Modify all individual scripts (`scripts/*.js` and `scripts/*.py`) to exclusively retrieve sensitive credentials from environment variables (e.g., `process.env` in Node.js, `os.environ` in Python), consistent with `scripts/zoom-cli.js` and the `SKILL.md` instructions. Ensure that `config.json` is never used, created, or distributed with the skill package. | LLM | scripts/create_meeting.js:5 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/vnagin/zoom-manager-clawd/scripts/create_meeting.py:3 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/vnagin/zoom-manager-clawd/scripts/delete_meeting.py:2 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/vnagin/zoom-manager-clawd/scripts/get_meeting_info.py:10 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/vnagin/zoom-manager-clawd/scripts/list_meetings.py:8 |
Scan History
Embed Code
[](https://skillshield.io/report/b232846e20bd011a)
Powered by SkillShield