Meegle Mcp
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Meegle MCP integration, but it needs Meegle credentials and can make real changes in your project-management workspace.
This skill appears purpose-aligned and not malicious from the provided artifacts. Install it only if you trust Meegle/Larksuite with the project data involved, use least-privilege Meegle keys, avoid storing credentials in insecure places where possible, and review any agent-requested changes to projects, members, or permissions before carrying them out.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a powerful Meegle key, the agent may create or modify projects, tasks, workflows, members, or permissions when asked.
The skill advertises tools that can change Meegle workspace content and membership permissions. This is aligned with project management, but those actions can affect real team data.
- **Create Project** ... - **Update Project** ... - **Add Members** ... - **Update Permissions**: Manage access levels
Use a least-privilege Meegle account or service account and explicitly review high-impact actions such as permission or membership changes.
Anyone or any agent flow that can use these credentials may act within the Meegle permissions granted to that key.
The proxy uses Meegle user and MCP keys to authenticate requests to the Meegle MCP endpoint. This is expected for the integration, but the keys carry the user's Meegle permissions.
const MEEGLE_USER_KEY = process.env.MEEGLE_USER_KEY; ... const MEEGLE_MCP_KEY = process.env.MEEGLE_MCP_KEY; ... const mcpEndpoint = `${MEEGLE_MCP_URL}?mcpKey=${MEEGLE_MCP_KEY}&userKey=${MEEGLE_USER_KEY}`;Store the keys securely, rotate them periodically, and limit their Meegle permissions to only the workspace actions you want OpenClaw to perform.
Installation may fail or be confusing if the user relies only on registry metadata and does not configure Node.js and the MCP key.
The registry metadata under-declares setup needs: the included README and proxy require Node.js and MEEGLE_MCP_KEY. The requirement is disclosed in the files, so this is a metadata completeness issue rather than hidden behavior.
Required binaries (all must exist): none ... Required env vars: MEEGLE_USER_KEY
Before installing, read the README and configure both MEEGLE_USER_KEY and MEEGLE_MCP_KEY; maintainers should update metadata to declare all required prerequisites.
Prompts and tool requests involving Meegle data may be sent to the Meegle/Larksuite MCP service.
The skill forwards MCP JSON-RPC requests to a remote Larksuite/Meegle MCP endpoint. This external data flow is central to the skill and is disclosed.
const MEEGLE_MCP_URL = process.env.MEEGLE_MCP_URL || 'https://project.larksuite.com/mcp_server/v1'; ... req.write(JSON.stringify(mcpRequest));
Only use this with workspaces and data you are comfortable sending to Meegle's MCP service, and avoid including unrelated sensitive information in Meegle-related prompts.