The Agent Skills Directory

[Indirect Prompt Injection Surface]: The skill enables an agent to ingest and process external meeting data, including summaries and transcript-capable resources via tools like get_meeting_assets and get_recording_resource. As this data originates from meeting participants, it represents a potential surface where external instructions could influence the agent's logic.
Evidence: Found in references/tools.md and examples/transcript-retrieval.md which describe fetching meeting-linked assets and recording content.
Mitigation: The documentation encourages using specific tool schemas and provides error handling guidance to maintain deterministic behavior.
[Credential Management Configuration]: The guidance describes the management of sensitive OAuth credentials, such as client IDs and access tokens, using environment variables like ZOOM_MCP_ACCESS_TOKEN and ZOOM_CLIENT_SECRET.
Evidence: Detailed setup instructions are provided in concepts/oauth-setup.md and RUNBOOK.md.
Context: This is a standard approach for secure local development, and the documentation highlights the sensitivity of these values, particularly when recommending refresh token management.
[External Service References]: For development and troubleshooting, the skill suggests using third-party services like webhook.site or ngrok to capture OAuth redirect codes.
Evidence: Mentioned as diagnostic options in concepts/oauth-setup.md.
Context: The guide explicitly notes that authorization codes are sensitive and provides warnings against using shared or long-lived capture URLs.
[Standard Service Integration]: The skill connects to official Zoom infrastructure at mcp-us.zoom.us, mcp.zoom.us, and zoom.us for tool execution and authentication.
Evidence: Endpoints are defined in SKILL.md and concepts/mcp-architecture.md.
Context: These are legitimate vendor resources required for the skill to communicate with the Zoom platform.

zoom-mcp