Feishu Project(Meego) Connector - Bytedance Internal Version
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent Meego connector, but it deserves review because it can use OAuth access to change project work items and relies on an npm/MCP bridge that is not included for inspection.
Install this only if you are authorized to connect OpenClaw to your organization’s Meego/Feishu Project account. Verify the npm package source, protect the ~/.mcporter/credentials.json file, and require explicit review before allowing the agent to create, modify, or transition any work item.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With a valid OAuth session, an agent using this skill could change team project data if it invokes the wrong tool or acts on an ambiguous request.
The documented generic MCP call can invoke mutating Meego tools, including creating, modifying, and transitioning work items, but the artifacts do not define approval checks, target project limits, dry-run behavior, or rollback guidance for those mutations.
npx @lark-project/meego-mcporter call meego_btd <tool_name> --config meego-config.json ... 操作:创建、修改、流转工作项
Require explicit user confirmation before any create, update, or transition action, show the exact project/item/fields to be changed, and prefer read-only access unless mutation is needed.
Anyone or anything that can use the cached credential may access Meego with the user’s authorized permissions.
The skill uses a persistent OAuth credential file and, in the remote OAuth flow, the agent may help write user-provided authorized credentials. This is expected for the integration and includes user-confirmation/no-logging constraints, but it grants account-level delegated access.
本技能使用 `~/.mcporter/credentials.json` 存储 OAuth 凭证... 接收用户提供的已授权凭证... 写入 `~/.mcporter/credentials.json`
Authorize only the needed account/scopes, protect ~/.mcporter/credentials.json, avoid sharing token-bearing files through chat when possible, and revoke or delete the credential when no longer needed.
A changed or compromised npm package could affect authentication handling or Meego operations.
The runtime behavior depends on a package fetched from npm. This is disclosed and purpose-aligned, but users are relying on the npm package’s provenance and the examples do not pin an exact package version.
`npm install -g @lark-project/meego-mcporter` 或通过 `npx` 自动获取
Install from the official npm package, pin a reviewed version where possible, and verify the package publisher/source before using it with OAuth credentials.
Meego project information and requested actions may be sent to the configured MCP service under the user’s account authorization.
The skill connects to a remote MCP server using OAuth. The endpoint is explicit and aligned with the purpose, but project queries/actions and returned data are mediated by that remote service.
"url": "https://meego.larkoffice.com/mcp_server/v1", "auth": "oauth"
Use only if this is the intended official endpoint for your organization, and avoid sending sensitive project data unless the service is trusted and authorized.