Back to skill
Skillv1.0.3
ClawScan security
Meegle API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 2:34 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only API wrapper for the Meegle (Feishu/Lark Project) OpenAPI; its requested credentials and behaviors are coherent with that purpose, though there's a minor metadata mismatch about where required credentials are declared.
- Guidance
- This skill is a documentation-style, instruction-only wrapper around Meegle's OpenAPI and appears internally consistent with that purpose. Before installing or using it: (1) Confirm you are comfortable providing plugin_id and plugin_secret and that you will store them as secrets (do not paste them in chat). (2) Prefer using environment or platform secret storage (MEEGLE_PLUGIN_ID, MEEGLE_PLUGIN_SECRET, MEEGLE_PROJECT_KEY, MEEGLE_USER_KEY) so the agent won't prompt every time. (3) Note the SKILL.md requires server-side exchange/refresh for user_access_token — follow that advice to avoid leaking tokens client-side. (4) Verify the platform recognizes the SKILL.md required_credentials (there is a mismatch with the registry summary that listed no required env vars). (5) If you install in a team environment, limit the scope of the plugin_secret and rotate it if exposed. If you want, provide the platform's skill manifest or installation UI screenshot so I can re-check that the required credentials are being declared and handled as secrets.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description match its contents: a collection of sub-skills for Meegle OpenAPI (users, space, work items, settings, comments, views). The credentials it explains needing (plugin_id, plugin_secret, domain, project_key, user_key) are appropriate and expected for calling Meegle OpenAPI.
- Instruction Scope
- okSKILL.md instructs the agent to read the credentials sub-skill first, then call documented Meegle endpoints. It does not instruct the agent to read unrelated system files, exfiltrate data, or call endpoints outside the Meegle domains (project.larksuite.com / project.feishu.cn). It also includes reasonable guidance about token caching and server-side user token exchange.
- Install Mechanism
- okThis is instruction-only with no install spec and no code files — lowest-risk delivery. README mentions Clawhub lookup but no installer or remote downloads are executed by the skill itself.
- Credentials
- noteThe SKILL.md (meegle-api-credentials) declares required credentials (plugin_id, plugin_secret, domain, project_key, user_key) and recommends environment variables (MEEGLE_*). These credentials are proportionate to the API purpose. However, the registry summary at the top listed 'Required env vars: none' which is inconsistent with the skill metadata — confirm the platform will treat the SKILL.md required_credentials as secret inputs and not ignore them. Treat plugin_secret and tokens as sensitive and store them in the platform's secret store.
- Persistence & Privilege
- okalways:false (default). The skill does not request permanent system presence, does not include an install step that would write binaries, and does not instruct changing other skills' configs. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.