Back to skill
Skillv1.0.9
ClawScan security
Meegle Connector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 4:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (connect to Meegle via MCP and manage work items) matches what it requests and instructs: installing an npm CLI and reading/writing the mcporter credentials file; nothing appears disproportionate or unrelated.
- Guidance
- This skill appears coherent for a CLI-based Meegle connector, but before installing: (1) verify you trust the npm package and its publisher (inspect the package contents or repository if possible); (2) prefer Browser OAuth locally when possible instead of copying credential files; (3) never paste access tokens or credential files into chat—follow the documented confirm-and-write flow; (4) confirm that the agent prompts you before reading or writing ~/.mcporter/credentials.json; and (5) if you must use a remote flow, review the written credentials after the operation and remove any unneeded files. If you are unsure about the npm package's provenance, inspect it first rather than installing globally.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (node, npx), required config path (~/.mcporter/credentials.json), and the install of @lark-project/meego-mcporter are consistent with a CLI-based OAuth connector for Meegle/MCP.
- Instruction Scope
- noteSKILL.md instructs the agent to run npx commands and to read/write ~/.mcporter/credentials.json during a remote OAuth flow. Reading/writing that single credentials file is expected for OAuth management, but it is a sensitive operation and the file may contain tokens if not in the exact state the doc assumes. The skill explicitly requires user confirmation for credential operations and forbids logging, which reduces risk.
- Install Mechanism
- okInstall is an npm package from the registry (@lark-project/meego-mcporter) producing a meego-mcporter binary. Using npm for a CLI tool is normal and proportionate. No arbitrary URLs or archive extraction are used.
- Credentials
- okNo environment secrets are requested; the only required artifact is ~/.mcporter/credentials.json, which is directly relevant to the stated OAuth flows. The skill does not ask for unrelated credentials or system-wide tokens.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated or cross-skill configuration changes. Autonomous invocation is allowed (platform default) but not itself a red flag here.