ClawHub

Meegle Mcp

v0.1.1

Interact with Meegle project management system via MCP protocol

0· 918·0 current·0 all-time
byDaniel@pkycy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md, and proxy implement an MCP proxy to talk to Meegle/Larksuite (this matches the stated purpose). However, the registry metadata only declares MEEGLE_USER_KEY as required while the code and instructions clearly require MEEGLE_MCP_KEY (and optionally MEEGLE_MCP_URL). The missing declared env var is an inconsistency that could mislead users about what secrets the skill needs.
!
Instruction Scope
Runtime instructions and the included setup script instruct the user to write MEEGLE_USER_KEY and MEEGLE_MCP_KEY into shell profile files (~/.bashrc, ~/.zshrc). The proxy forwards JSON-RPC messages to the configured MCP endpoint and constructs the endpoint URL embedding both keys as query parameters. The proxy also prints a partial user key to stderr on startup. These behaviors persist secrets to disk (in plain text shell profiles), expose credentials in request URLs (which can be logged by intermediaries/servers), and write identifying fragments to logs — all of which increase risk and should be considered before installing.
Install Mechanism
There is no external download/install spec — the package is instruction + local scripts. That reduces remote-install risk. The setup.sh script is included and will modify the user's shell config (and export credentials for the current session). Making the proxy executable and running node are standard for this type of skill; there are no remote code fetches in the provided files.
!
Credentials
The skill requires sensitive credentials: MEEGLE_USER_KEY and MEEGLE_MCP_KEY. The registry metadata only declared MEEGLE_USER_KEY (primaryEnv), but both keys are required at runtime by scripts — a transparency problem. The setup script advises saving both keys in shell profiles (plain text). The proxy constructs URLs with these keys as query parameters, which may be logged by servers or intermediaries. Requesting/storing two keys is reasonable for an API proxy, but the omission from declared requirements and the recommended storage method are disproportionate risks that should be addressed.
Persistence & Privilege
The skill is not set to always:true and allows user invocation (normal). It does not modify other skills or system settings. However, the included setup.sh persists credentials to the user's shell configuration files, creating lasting secrets on disk — this is expected for a local integration but is a privilege with security implications and should be noted to users.
What to consider before installing
This skill mostly does what it says (an MCP proxy to Meegle), but there are a few red flags to consider before installing: - The skill actually needs two secrets (MEEGLE_USER_KEY and MEEGLE_MCP_KEY), but the registry only declared MEEGLE_USER_KEY. Expect to provide both keys. - setup.sh writes those keys into your shell profile (~/.bashrc, ~/.zshrc) in plain text. If you are concerned about storing secrets on disk, don’t run the script; instead store keys in a secure vault or use OpenClaw's secure config mechanism. - The proxy embeds both keys in the request URL query string when contacting the MCP endpoint. Even over HTTPS, query parameters can be logged by servers or intermediaries. If possible, prefer sending credentials in headers or bearer tokens, or confirm that your MCP server is comfortable with query-based auth and logs are acceptable. - The proxy prints a fragment of your user key to stderr on startup (useful for debugging), which could end up in logs; be aware of log exposure. - If you proceed, prefer a dedicated, least-privilege service account for automation, rotate keys after testing, and review the mcp-proxy.js and setup.sh code yourself or with a trusted admin. If you want to be cautious: refuse or modify the setup script (avoid writing secrets to shell profiles), add MEEGLE_MCP_KEY to the skill metadata or verify with the publisher, and consider using a secure secrets store instead of environment variables in shell files.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ca02n440vxckmxtj6hdye580xbx6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
OSmacOS · Linux · Windows
EnvMEEGLE_USER_KEY
Primary envMEEGLE_USER_KEY

Comments