Meegle API
PassAudited by ClawScan on May 10, 2026.
Overview
This is a documentation-only Meegle API skill, but it can guide an agent to use Meegle credentials for project changes and deletions.
Install this only if you want your agent to help call Meegle APIs. Configure credentials securely, use the narrowest Meegle permissions possible, and explicitly review any operation that creates, updates, deletes, or changes project settings.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with sufficient permissions, the agent could create, update, or delete Meegle project settings, roles, fields, relationships, comments, or work items.
The skill documents high-impact Meegle API operations that can change project configuration. This is purpose-aligned for an API skill, but users should notice that these are not read-only operations.
Use when you need to read or change space or work item settings ... Workflow settings ... Create/Update/Delete workflow templates
Use least-privilege Meegle plugin scopes and require explicit user confirmation before any create, update, or delete operation, especially for settings and workflow changes.
Anyone or any agent process with access to these credentials may be able to act against the configured Meegle project within the plugin's permissions.
The skill expects Meegle plugin credentials and user/project identifiers. That is expected for this integration, but these credentials grant account/project API authority.
`MEEGLE_PLUGIN_ID`, `MEEGLE_PLUGIN_SECRET`, `MEEGLE_DOMAIN`, `MEEGLE_PROJECT_KEY`, `MEEGLE_USER_KEY`
Store secrets only in a protected secret manager or trusted environment, avoid broad plugin permissions, and rotate credentials if they may have been exposed.
Cached tokens could be reused until expiry and may expose Meegle access if stored in shared or insecure agent memory.
The skill recommends token caching and refresh behavior. This is common API plumbing, but token persistence should be bounded and protected.
Cache plugin_access_token globally; Bind user_access_token to conversation/session; Auto-refresh user_access_token
Keep plugin tokens short-lived and protected, bind user tokens to the active session, and avoid exposing tokens in logs, prompts, or shared memory.