Code Pluginsource linkedVerified

Google Meetv2026.5.28

OpenClaw Google Meet participant plugin for joining calls through Chrome or Twilio transports.

@openclaw/google-meet·runtime google-meet·by @openclaw

openclaw plugins install clawhub:@openclaw/google-meet

Latest release: v2026.5.28Download zip

Capabilities

Compatibility

Built With Open Claw Version

2026.5.28

Min Gateway Version

>=2026.4.20

Plugin Api Range

>=2026.5.28

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The stated package and manifest purpose centers on joining Google Meet calls, while the tool also supports calendar lookup, artifact and attendance retrieval, transcript and document-body export, and ending an active conference. These are Meet-related, but broader and higher impact than the top-level description discloses.

Instruction Scope

Sensitive actions are available through the same google_meet tool and CLI; export and end_active_conference are explicit actions, but the artifacts do not show a separate confirmation, role gate, or scoped permission split before writing meeting data or ending a conference.

✓

Install Mechanism

The package is an official @openclaw release, source-linked to openclaw/openclaw, has no install script, depends only on commander and typebox, and VirusTotal telemetry is clean. The manifest says it is not enabled by default.

ℹ

Credentials

Chrome automation, a signed-in browser profile, microphone/camera permission grants, audio routing, Twilio dial-in, Google OAuth APIs, and realtime transcription/voice providers are proportionate for a meeting participant plugin, but they are privacy-sensitive and should be expected by the installer.

Persistence & Privilege

The plugin stores or accepts OAuth credentials, can print token JSON during login, accepts raw credential overrides in tool parameters, and can persist transcripts, attendance, artifacts, and optional ZIP archives to disk.

Scan Findings in Context

[SDI-1] expected: The broader Meet-management capabilities are real and related to the domain, but the README and manifest emphasize joining calls and do not clearly surface export or conference-ending authority.

[SDI-2] expected: Exporting artifacts and attendance is explicitly implemented and user-invoked; the concern is persistent local storage of sensitive meeting content without a prominent safeguard in the artifact.

[SDI-2] unexpected: Ending an active conference is a destructive administrative action that is explicitly present but not naturally implied by a join/track participant tool.

[SQP-2] expected: Drive document export is opt-in through includeDocumentBodies and limited to Google hosts, but it can retrieve transcript or smart-note body text without a separate confirmation step.

[SQP-2] expected: The OAuth login helper prints credentials so the user can paste them into config; this is functional, but users should avoid running it in logged or shared terminals.

[SQP-2] expected: The CLI export command deliberately writes meeting artifacts, transcript markdown, attendance files, raw JSON, and optional ZIP output; this is disclosed by the command name but remains sensitive persistence.

[SQP-2] expected: Returning browser node and target identifiers is tied to browser automation diagnostics, but exposing these values to broad callers or logs could leak control-plane details.

[SQP-2] expected: Automatic join behavior is central to the plugin; browser URLs are restricted to meet.google.com, while Twilio dial-in still relies on user-supplied or configured phone details.

[SQP-2] expected: Granting Meet microphone and camera permissions is expected for talk-back modes, but users should understand this can enable audio/video capture in the OpenClaw browser profile.

[SQP-2] expected: Joining private meetings and routing audio to transcription or voice providers is core functionality, but the plugin-level privacy disclosure is thinner than the capability warrants.

[PE3] expected: Credential override parameters are useful for CLI/tool flexibility, but passing OAuth tokens through tool calls increases the chance they appear in prompts, logs, or traces.

What to consider before installing

Install only if you want OpenClaw agents to join private Google Meet calls and you trust the configured agents with meeting audio, transcripts, attendance, and Meet OAuth authority. Keep access to the google_meet tool limited, avoid passing OAuth tokens through prompts or normal tool parameters, treat exports and ZIP files as sensitive records, and use the conference-ending action only with explicit operator intent.

✗

dist/index.js:370

Shell command execution detected (child_process).

✗

dist/chrome-create-B3zyjf5f.js:139