Flowyteam Mcp
PassAudited by ClawScan on May 5, 2026.
Overview
This is a disclosed FlowyTeam MCP connector, but it gives an AI agent powerful token-based access to read, create, update, and delete business workspace data.
Install only if you are comfortable letting an AI agent access your FlowyTeam workspace through an API token. Use a limited-permission token, avoid password login in shared environments, confirm every write or delete action, and revoke the token if you stop using the integration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user mishandles confirmations, it could create, modify, or delete important workspace records such as tasks, employees, invoices, expenses, contracts, or notices.
The skill intentionally exposes broad read/write workspace operations, including create, update, and delete actions across business records.
**34 tools. Read and write access to your workspace. No extra software required.**
Use the least-privileged FlowyTeam token available, prefer read-only checks first, and require explicit current-turn confirmation before every create, update, or delete action.
Anyone or any agent with the token may be able to access or change FlowyTeam data within that token's permissions.
The integration requires a FlowyTeam API token that grants delegated workspace access; this is expected for the service but sensitive.
FLOWYTEAM_API_TOKEN ... description: "API token from FlowyTeam Settings → MCP & AI Integration." ... required: true
Prefer generating a limited-permission token, avoid admin tokens unless necessary, do not paste tokens into shared chats, and revoke the token when no longer needed.
Workspace data requested through the agent is sent to and returned from FlowyTeam's remote MCP service.
Tool calls and returned workspace data flow through a remote FlowyTeam MCP endpoint; the endpoint is disclosed and purpose-aligned.
RPC: `POST https://flowyteam.com/api/v2/mcp/rpc` ... Transport: Streamable HTTP (JSON-RPC 2.0)
Use only the official HTTPS FlowyTeam endpoint and avoid sending unnecessary sensitive business data through the agent.
Users may need to verify they are installing the intended official FlowyTeam connector before granting a workspace token.
The README links a different ClawHub namespace than the provided source/registry identifiers, creating minor provenance ambiguity for a credentialed integration.
[ClawhHub](https://clawhub.ai/agungksidik/flowyteam-mcp)
Confirm the package source, homepage, and endpoint are the official FlowyTeam ones before adding credentials.