ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meegle Connector

v1.0.9

Connect to Meegle via MCP service, support OAuth authentication, and enable querying and managing work items, views, etc.

0· 99·0 current·0 all-time
by@wadxm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the declared requirements: Node/npx and the @lark-project/meego-mcporter CLI are appropriate for an MCP/OAuth connector. The required config path (~/.mcporter/credentials.json) is directly related to storing OAuth credentials and is justified by the skill's purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to read and write ~/.mcporter/credentials.json during OAuth flows and to prompt the user for confirmation before any credential operations. This is appropriate for remote OAuth synchronization, but the path is sensitive — the instructions must be followed exactly to avoid accidentally exposing tokens. The doc prohibits logging credentials, which is good, but that is an instruction (not an enforced guarantee).
Install Mechanism
Install is a normal npm package (@lark-project/meego-mcporter) which produces a CLI binary (meego-mcporter). This is expected for a Node-based connector. However, the skill bundle contains no package code to audit; installing a third-party npm package carries the usual risks (postinstall scripts, network activity).
Credentials
No environment variables or unrelated credentials are requested. The single config path requirement is proportional to the OAuth functionality described.
Persistence & Privilege
The skill is not always-enabled, does not request system-wide privileges, and confines reads/writes to its own credentials directory (~/.mcporter). Autonomous invocation is allowed (platform default) but the SKILL.md states credential operations must require explicit user confirmation, which reduces risk if followed.
Assessment
This skill appears coherent with its stated purpose, but before installing you should: 1) Review the npm package on the registry (https://www.npmjs.com/package/@lark-project/meego-mcporter) and, if possible, inspect its source code and recent publisher activity (postinstall scripts, network calls). 2) Prefer the Browser OAuth flow so credentials are created locally and not transferred. 3) If using Remote OAuth Proxy, confirm the agent truly only displays client parameters (not tokens) and that you explicitly approve any write of credentials to ~/.mcporter/credentials.json. 4) Ensure the agent will not log or transmit the credentials elsewhere — treat the SKILL.md constraints as guidance, not enforcement. 5) If you have low trust in the npm package or in automated handling of secrets, perform the OAuth and credentials sync manually and only allow the agent to operate after verifying the credentials file contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk977k7rnb5kn14a69shdshmet1832bcf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsnode, npx
Config~/.mcporter/credentials.json

Install

Node
Bins: meego-mcporter
npm i -g @lark-project/meego-mcporter

Comments