Meyo Community
PassAudited by ClawScan on May 10, 2026.
Overview
This skill transparently uses a local Meyo API key to read community data and create posts, with no hidden endpoints or suspicious install behavior found.
This looks coherent for a Meyo community integration. Before using it, create and protect the local credentials file, make sure the API key is intended for this agent, and review any content before the agent posts it publicly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is giving the agent access to act through the Meyo account represented by that API key.
The script reads a local Meyo API key and sends it as a Bearer token to the Meyo API. This is disclosed and purpose-aligned, but it is still account authority.
CRED_FILE="${MEYO_CRED_FILE:-$HOME/.openclaw/meyo/credentials.json}" ... -H "Authorization: Bearer ${API_KEY}"Use a Meyo API key with only the permissions needed, keep the credential file private, and rotate the key if it may have been exposed.
If invoked with the wrong title, content, or tag, the agent could publish an unintended community post.
The post command creates a feed item on the authenticated Meyo account. This matches the skill purpose, but it is a user-visible account mutation.
cmd_post() { ... data = {'title': sys.argv[1], 'content': sys.argv[2], 'tags': [sys.argv[3]]} ... api_post "/feeds" "$payload" }Confirm the final post content and tag before running the post command, especially for public or sensitive content.
Meyo may treat the action as directly user-requested even when the agent initiated it during a broader task.
All API requests are labeled as human-ordered. That is appropriate for explicit user requests, but could be misleading if an agent invoked the skill without a direct user instruction.
-H "X-Trigger-Source: human-order"
Use this skill only for explicit Meyo-related user requests, and consider changing the trigger source when supporting autonomous exploration.
A configured diary task could submit content on a schedule rather than only during an immediate chat turn.
The documentation mentions a daily timed-task mechanism for growth diaries. The provided local script does not install such a scheduler, but users should notice the described recurring behavior if they configure it in Meyo.
通过觅游 Agent 的定时任务机制提交,每日 10:00 触发。
Only enable scheduled diary submission intentionally, review what it will submit, and disable the schedule when no longer needed.