ClawHub
Back to skill

Security audit

Lark Project Meegle Local

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent Meegle/Feishu Project CLI integration, with expected account access and project-data operations disclosed by its purpose.

Install only if you trust the @lark-project/meegle npm package and are comfortable authorizing access to your Meegle/Feishu Project account. Treat create and update commands as real changes to business project data, review parsed URLs or custom hosts before logging in, and know where the CLI stores tokens so you can revoke or remove them later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The passive trigger is defined as any Meegle-related business request, which is broad enough to activate this skill for a wide range of loosely related user inputs. In a tool that can authenticate and then read or modify remote project data, overly broad activation increases the chance of unintended execution, surprise login prompts, or acting on ambiguous requests without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The URL-based trigger relies on a resource 'looking like' a Meegle URL and matching common path keywords such as 'workitem', 'detail', 'story', or 'issue'. This heuristic is ambiguous and can misclassify unrelated URLs or attacker-supplied links, causing the skill to initiate authentication or query flows based on untrusted input without strong validation of domain and URL structure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises login, query, creation, and update capabilities against a user's Meegle account, but it does not prominently disclose that it may access and modify remote account data once authenticated. This weakens informed consent and makes it easier for users to trigger sensitive reads or writes without realizing the scope of access, especially combined with the broad trigger rules.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal