Back to skill
Skillv1.0.3
ClawScan security
meegle-api · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 8:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Meegle (Feishu/Lark Project) API skill whose declared environment variables and runtime instructions are consistent with the documented API usage; nothing in the package suggests hidden exfiltration or unrelated access, but it does instruct storing credentials in your OpenClaw config so review that behavior before installing.
- Guidance
- This skill is an organized set of API call templates for Meegle and appears coherent with its stated purpose. Before installing: (1) review the included meegle-api-credentials SKILL.md to confirm exactly how tokens are obtained and where secrets are used; (2) be aware the README instructs you to store credentials in ~/.openclaw/openclaw.json under skills.entries["meegle-api"].env — that's a config file on your machine, so only add secrets there if you trust the skill and understand how OpenClaw protects that file; (3) consider using short-lived user_access_token or limited-scope plugin credentials where possible and avoid storing long-lived secrets in plaintext; (4) since the package relies on read-file semantics, ensure you trust the skill pack contents (it will read the SKILL.md files you installed); and (5) if you need stricter isolation, prefer providing per-session tokens at runtime rather than permanent entries in global config.
Review Dimensions
- Purpose & Capability
- okThe skill is an index and collection of Meegle OpenAPI sub-skills. The five required env vars (plugin id/secret, domain, project_key, user_key) are appropriate and expected for calling Meegle APIs and obtaining tokens. Nothing requested is unrelated to the stated purpose.
- Instruction Scope
- noteRuntime instructions direct the agent to read the included SKILL.md files (read-file) and to read the separate credentials file (meegle-api-credentials) before making API calls — this is appropriate. The README/SKILL.md also instructs placing credentials into the user's OpenClaw config file (~/.openclaw/openclaw.json) and to cache plugin_access_token within the session. That file-path recommendation is outside the skill directory and is prescriptive; it should be reviewed by the user (see guidance).
- Install Mechanism
- okThis is instruction-only with no install spec and no code files to execute. Lowest-risk install model (nothing is downloaded or written by an installer).
- Credentials
- okThe set of required environment variables is small and directly related to Meegle API auth and context. They are sensitive (plugin_secret, user_key), but their presence is justified by the skill’s purpose. The skill does recommend storing these in ~/.openclaw/openclaw.json (not declared as a required config path), which is a configuration choice rather than unexplained credential access.
- Persistence & Privilege
- okThe skill does not request permanent 'always' inclusion and does not modify other skills. Its only persistence-related guidance is to cache plugin_access_token within a session (typical for API clients) and to store credentials in the user's OpenClaw config under the skill's own entry — this is standard but should be consciously approved by the user.