ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meegle Connector

v1.0.9

Connect to Meegle via MCP service, support OAuth authentication, and enable querying and managing work items, views, etc.

0· 200·0 current·0 all-time
by@wadxm

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for wadxm/meegel-connector.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Meegle Connector" (wadxm/meegel-connector) from ClawHub.
Skill page: https://clawhub.ai/wadxm/meegel-connector
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, npx
Config paths to check: ~/.mcporter/credentials.json
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install meegel-connector

ClawHub CLI

Package manager switcher

npx clawhub@latest install meegel-connector
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared requirements: Node/npx and the @lark-project/meego-mcporter CLI are appropriate for an MCP/OAuth connector. The required config path (~/.mcporter/credentials.json) is directly related to storing OAuth credentials and is justified by the skill's purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to read and write ~/.mcporter/credentials.json during OAuth flows and to prompt the user for confirmation before any credential operations. This is appropriate for remote OAuth synchronization, but the path is sensitive — the instructions must be followed exactly to avoid accidentally exposing tokens. The doc prohibits logging credentials, which is good, but that is an instruction (not an enforced guarantee).
Install Mechanism
Install is a normal npm package (@lark-project/meego-mcporter) which produces a CLI binary (meego-mcporter). This is expected for a Node-based connector. However, the skill bundle contains no package code to audit; installing a third-party npm package carries the usual risks (postinstall scripts, network activity).
Credentials
No environment variables or unrelated credentials are requested. The single config path requirement is proportional to the OAuth functionality described.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide privileges, and confines reads/writes to its own credentials directory (~/.mcporter). Autonomous invocation is allowed (platform default) but the SKILL.md states credential operations must require explicit user confirmation, which reduces risk if followed.
Assessment
This skill appears coherent with its stated purpose, but before installing you should: 1) Review the npm package on the registry (https://www.npmjs.com/package/@lark-project/meego-mcporter) and, if possible, inspect its source code and recent publisher activity (postinstall scripts, network calls). 2) Prefer the Browser OAuth flow so credentials are created locally and not transferred. 3) If using Remote OAuth Proxy, confirm the agent truly only displays client parameters (not tokens) and that you explicitly approve any write of credentials to ~/.mcporter/credentials.json. 4) Ensure the agent will not log or transmit the credentials elsewhere — treat the SKILL.md constraints as guidance, not enforcement. 5) If you have low trust in the npm package or in automated handling of secrets, perform the OAuth and credentials sync manually and only allow the agent to operate after verifying the credentials file contents.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📋 Clawdis
Binsnode, npx
Config~/.mcporter/credentials.json

Install

Node
Bins: meego-mcporter
npm i -g @lark-project/meego-mcporter
latestvk977k7rnb5kn14a69shdshmet1832bcf
200downloads
0stars
1versions
Updated 16h ago
v1.0.9
MIT-0
@wadxm
latest
Download

Meegle Skill

Connect to Meegle via MCP service, supporting OAuth authentication.

Prerequisites

This skill relies on the following environment:

  • Node.js (>= 18) and npx
  • @lark-project/meego-mcporter: MCP Transfer Tool, sourced from npm (npm install -g @lark-project/meego-mcporter or automatically obtained via npx)

Certificate Management Instructions

This skill uses ~/.mcporter/credentials.json to store OAuth credentials (managed by mcporter).

  • Method 1 (Recommended): Browser OAuth - mcporter automatically completes authorization and writes credentials, and the agent does not need to access the credential content.
  • Method 2 (Remote Server): When the server does not have a browser, users need to complete OAuth on their local computers and then sync the credentials to the server. In this process, the agent will assist in displaying the OAuth Client configuration (excluding tokens) and writing the authorized credentials provided by the user, and all operations require users to confirm step by step.

Security Constraints:

  • The agent shall not initiate credential operations independently, and each step requires explicit confirmation from the user.
  • The agent must not record the credential content to logs, historical messages, or any location other than ~/.mcporter/
  • Temporary files generated during the operation must be cleaned up immediately

Connection Method

1. Ask the user which method to use for authentication

Note: Be sure to ask the user and let the user make an active choice. Automatically choosing for the user is prohibited. This tool supports two authentication methods:

  • Browser OAuth (Recommended): Suitable for scenarios where OpenClaw is locally installed, automatically re-engaging the browser to complete authorization
  • Remote OAuth Proxy: Suitable for scenarios where OpenClaw is installed on a remote server (browserless environment)

2. Browser OAuth (Recommended)

2.1. Create a Configuration File

Copy meegle-config.json from the skill package directory to the working directory.

2.2. Perform OAuth authentication (only once)

npx @lark-project/meego-mcporter auth meegle --config meegle-config.json

This will open a browser for you to authorize your Feishu account. ** After authorization is completed, the credentials will be cached in ~/.mcporter/credentials.json, and subsequent calls will not require re-authorization. **

3. Remote OAuth Proxy

Applicable Scenario: When the remote server does not have a browser, the user needs to complete OAuth on the local computer and then sync the credentials back to the server.

3.1. Create a Configuration File

Copy meegle-config.json from the skill package directory to the working directory.

3.2. Generate OAuth Client Configuration

npx @lark-project/meego-mcporter auth meegle --config meegle-config.json --oauth-timeout 1000

This command will generate an OAuth Client configuration (containing only the client parameters, excluding tokens) in ~/.mcporter/credentials.json.

3.3. Assist users in completing local authorization

This step requires the agent and the user to cooperate to complete credential synchronization. Since the remote server does not have a browser, the user needs to complete OAuth authorization on their local computer.

Step A - Present the OAuth Client Configuration to the User (Requires User Confirmation):

Read the contents of ~/.mcporter/credentials.json (which at this time only contains OAuth client parameters and no tokens), display them to the user, and inform the user:

The following is the OAuth Client configuration. Please refer to the document https://meegle.com/b/helpcenter/product/5rifl7a7 to complete the authorization on your local computer. After the authorization is completed, please provide me with the generated credential file.

Step B - Receive authorized credentials provided by the user (user confirmation required):

After the user completes OAuth locally, they will provide the authorized credential file. After obtaining user confirmation, write it to ~/.mcporter/credentials.json.

After the write operation is completed, immediately clean up any intermediate temporary files that may have been generated during the operation. The credential content is only stored in ~/.mcporter/credentials.json and must not be saved to any other location.

3.4. Verify the Authorization Result

Attempted to connect to the MCP server and confirmed successful authorization.

4. Subsequent Use

npx @lark-project/meego-mcporter call meegle <tool_name> --config meegle-config.json

Available Features

  • Query: To-do, View, Work Item Information
  • Operations: Create, modify, and transfer work items

Comments

Loading comments...