meegle-api
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only Meegle API guide is coherent and not suspicious, but it relies on sensitive Meegle credentials and documents high-impact project write/delete APIs.
This looks like a normal instruction-only Meegle API skill. Install it only if you want OpenClaw to call Meegle APIs, keep the configured plugin secret protected, scope permissions narrowly, and confirm any write/delete or user-membership changes before allowing the agent to execute them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with powerful credentials, an agent could change or delete project settings, roles, relationships, or workflows when carrying out a user request.
The skill documents API operations that can create, update, or delete Meegle project configuration. This is consistent with the stated Meegle API purpose, but these are high-impact business/project mutations.
Relationship settings | List/create/update/delete work item relationships ... Roles | Create/get/update/delete workflow role ... Workflow settings | Get/create/update/delete workflow templates
Use least-privilege Meegle permissions and require explicit user confirmation before create, update, delete, membership, or other irreversible project-changing calls.
Anyone or any agent session with access to those configured credentials may be able to access Meegle data and perform actions allowed by the plugin permissions.
The skill requires Meegle plugin credentials and user/project context stored in OpenClaw configuration, and it tells the agent to reuse a token during the session. This is expected for the integration but grants delegated Meegle account/API authority.
Credentials must be configured in the OpenClaw config file ... `~/.openclaw/openclaw.json` → `skills.entries["meegle-api"].env` with the five variables above ... cache and reuse `plugin_access_token` within the same session
Store credentials securely, restrict filesystem access to the config, use a plugin with minimal Meegle permissions and project scope, and rotate secrets if they may have been exposed.