Flowyteam Mcp
PassAudited by VirusTotal on May 5, 2026.
Overview
Type: OpenClaw Skill Name: flowyteam-mcp Version: 1.1.8 The FlowyTeam MCP skill bundle provides a comprehensive interface for managing the FlowyTeam SaaS platform (tasks, OKRs, HR, CRM, and finance) via 34 tools. The bundle interacts exclusively with official endpoints at flowyteam.com and includes explicit safety instructions in SKILL.md requiring the AI agent to obtain user confirmation for all write or delete operations. While the documentation describes an optional authentication flow that involves passing user credentials to the API (auth_login), it includes appropriate security warnings and recommends the use of API tokens instead. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user mishandles confirmations, it could create, modify, or delete important workspace records such as tasks, employees, invoices, expenses, contracts, or notices.
The skill intentionally exposes broad read/write workspace operations, including create, update, and delete actions across business records.
**34 tools. Read and write access to your workspace. No extra software required.**
Use the least-privileged FlowyTeam token available, prefer read-only checks first, and require explicit current-turn confirmation before every create, update, or delete action.
Anyone or any agent with the token may be able to access or change FlowyTeam data within that token's permissions.
The integration requires a FlowyTeam API token that grants delegated workspace access; this is expected for the service but sensitive.
FLOWYTEAM_API_TOKEN ... description: "API token from FlowyTeam Settings → MCP & AI Integration." ... required: true
Prefer generating a limited-permission token, avoid admin tokens unless necessary, do not paste tokens into shared chats, and revoke the token when no longer needed.
Workspace data requested through the agent is sent to and returned from FlowyTeam's remote MCP service.
Tool calls and returned workspace data flow through a remote FlowyTeam MCP endpoint; the endpoint is disclosed and purpose-aligned.
RPC: `POST https://flowyteam.com/api/v2/mcp/rpc` ... Transport: Streamable HTTP (JSON-RPC 2.0)
Use only the official HTTPS FlowyTeam endpoint and avoid sending unnecessary sensitive business data through the agent.
Users may need to verify they are installing the intended official FlowyTeam connector before granting a workspace token.
The README links a different ClawHub namespace than the provided source/registry identifiers, creating minor provenance ambiguity for a credentialed integration.
[ClawhHub](https://clawhub.ai/agungksidik/flowyteam-mcp)
Confirm the package source, homepage, and endpoint are the official FlowyTeam ones before adding credentials.