Skip to main content

sales-fathom

Integrates Fathom AI note-taking capabilities with CRMs and data warehouses, enabling seamless access to meeting transcripts and action items.

Install this skill

or
0/100

Security score

The sales-fathom skill was audited on Jun 3, 2026 and we found 19 security issues across 3 threat categories, including 2 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 77

Template literal with variable interpolation in command context

SourceSKILL.md
77- **Webhook signatures use Svix-style HMAC-SHA256** with three headers (`webhook-id`, `webhook-timestamp`, `webhook-signature`). The secret string starts with `whsec_` — strip that prefix and base64-d
high line 125

Template literal with variable interpolation in command context

SourceSKILL.md
125**Solution**: `base64.b64decode(secret.split('_')[1])` — HMAC the signed content `${webhook-id}.${webhook-timestamp}.${raw_body}` (must be raw body, NOT JSON-parsed-and-re-serialized), base64-encode t
medium line 3

Webhook reference - potential data exfiltration

SourceSKILL.md
3description: "Fathom AI note-taker platform help — REST API for pulling meeting transcripts, summaries, action items, and CRM matches into CRMs, data warehouses, or Slack. Use when transcripts not syn
medium line 18

Webhook reference - potential data exfiltration

SourceSKILL.md
18- B) Build a backend integration (API, webhooks, OAuth, SDK)
medium line 19

Webhook reference - potential data exfiltration

SourceSKILL.md
19- C) Troubleshoot webhook delivery / HMAC signature verification
medium line 46

Webhook reference - potential data exfiltration

SourceSKILL.md
46| Anything Fathom-platform-specific (API, webhooks, pricing, integrations, bot behavior) | Stay here |
medium line 54

Webhook reference - potential data exfiltration

SourceSKILL.md
54**Read `references/fathom-api-reference.md`** for verbatim API docs — endpoints, request/response schemas, OAuth flow, webhook HMAC verification, rate limits, SDK methods.
medium line 62

Webhook reference - potential data exfiltration

SourceSKILL.md
621. **For API/webhook questions** — give a concrete code snippet (cURL, Python, or TypeScript based on user's stack), note the auth header or OAuth scope required, and flag the 60-req/min rate limit if
medium line 63

Webhook reference - potential data exfiltration

SourceSKILL.md
632. **For transcript pipeline design** — recommend webhook-first (create one via `POST /webhooks` with `include_transcript=true` and the right `triggered_for` array) and fall back to polling `GET /meet
medium line 75

Webhook reference - potential data exfiltration

SourceSKILL.md
75- **Create-webhook requires at least one of `include_transcript`, `include_crm_matches`, `include_summary`, or `include_action_items`** to be `true`. An empty payload is rejected.
medium line 77

Webhook reference - potential data exfiltration

SourceSKILL.md
77- **Webhook signatures use Svix-style HMAC-SHA256** with three headers (`webhook-id`, `webhook-timestamp`, `webhook-signature`). The secret string starts with `whsec_` — strip that prefix and base64-d
medium line 95

Webhook reference - potential data exfiltration

SourceSKILL.md
95**User says**: "I built a webhook receiver for Fathom but transcripts aren't showing up in Snowflake — webhooks hit but payload looks wrong"
medium line 97

Webhook reference - potential data exfiltration

SourceSKILL.md
971. Confirms webhook was created with `include_transcript=true` (otherwise payload has no transcript body)
medium line 99

Webhook reference - potential data exfiltration

SourceSKILL.md
993. Recommends a reconcile-poll pattern: daily `GET /meetings?created_after={yesterday}` to catch any webhook deliveries that failed
medium line 101

Webhook reference - potential data exfiltration

SourceSKILL.md
101**Result**: Correct webhook payload shape + reconcile-poll fallback so no transcripts get lost.
medium line 123

Webhook reference - potential data exfiltration

SourceSKILL.md
123### Webhook fires but signature verification fails
medium line 125

Webhook reference - potential data exfiltration

SourceSKILL.md
125**Solution**: `base64.b64decode(secret.split('_')[1])` — HMAC the signed content `${webhook-id}.${webhook-timestamp}.${raw_body}` (must be raw body, NOT JSON-parsed-and-re-serialized), base64-encode t
medium line 77

Base64 decode operation

SourceSKILL.md
77- **Webhook signatures use Svix-style HMAC-SHA256** with three headers (`webhook-id`, `webhook-timestamp`, `webhook-signature`). The secret string starts with `whsec_` — strip that prefix and base64-d
medium line 125

Base64 decode operation

SourceSKILL.md
125**Solution**: `base64.b64decode(secret.split('_')[1])` — HMAC the signed content `${webhook-id}.${webhook-timestamp}.${raw_body}` (must be raw body, NOT JSON-parsed-and-re-serialized), base64-encode t
Scanned on Jun 3, 2026
View Security Dashboard
Installation guide →
GitHub Stars 42
Rate this skill
Categorysales
UpdatedJune 13, 2026
openclawapisdrsales-operationscustomer-success-manageraccount-executivebusiness-developmenthubspotsalesforceslackzapiermaken8nsales
sales-skills/sales