ClawHub

Lark Project / Meegle

v0.1.4

连接飞书项目/Meegle,查询和管理工作项、待办等。自动检测登录状态,未登录时引导 Device Code 授权。

0· 673·1 current·1 all-time
by@kentonyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: the skill runs the Meegle CLI via npx to query and manage work items. Requested binaries (node,npx) and the install of @lark-project/meegle are appropriate and expected.
Instruction Scope
SKILL.md prescribes running npx commands, a Device Code OAuth flow, URL parsing for host/project extraction, and polling for authorization. These actions are within the stated purpose. The instructions require immediate polling after presenting the verification URL (blocking behaviour) — operationally important but not a scope creep or data-exfil pattern. No steps ask the agent to read unrelated files or environment variables.
Install Mechanism
Install uses an npm package (@lark-project/meegle) which is a normal, traceable mechanism for a Node CLI. This is moderate-risk compared to instruction-only skills because installing/executing an npm package runs third-party code; that risk is expected here but worth reviewing before install.
Credentials
The skill declares no environment variables or external credentials; authentication is performed interactively via the Device Code flow through the CLI (tokens will be managed by the CLI). No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. It relies on the CLI to persist tokens locally (normal for an OAuth Device Code flow) and does not ask to modify other skills or system-wide agent settings.
Assessment
This skill appears coherent: it runs the Meegle CLI via npx and uses the OAuth Device Code flow to authenticate. Before installing or allowing automatic runs, consider: 1) Verify the npm package and its maintainers (view the package page, check stars/maintainer history and repository code) because npx installs/executes third‑party code at runtime. 2) Understand that auth tokens will be stored/managed by the CLI on the host — if you share your agent environment, those tokens could be used there. 3) If you want to limit risk, install and inspect @lark-project/meegle in a sandbox/local dev environment first (or pin a specific vetted version) rather than blindly running npx@latest. 4) If you need stronger guarantees, ask for the package source repo to review or run the CLI behind network controls. Overall: functionally consistent, but treat npm-executed code with normal caution.

Like a lobster shell, security has layers — review code before you run it.

betavk972hgrtvzm5jmq9vagnsm0r1183x7cblatestvk973w0d5crcfjpj2zwq3r7nm5x841pa3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsnode, npx

Install

Node
Bins: meegle
npm i -g @lark-project/meegle

Comments