meegle-connector Security Report — Low Risk | ClawSafe

15 /100

meegle-connector

Connect to Meegle via MCP service, support OAuth authentication, and enable querying and managing work items, views, etc.

A well-documented MCP connector for Meegle with explicit security constraints around credential handling and no hidden functionality beyond declared network/filesystem access.

Skill Namemeegle-connector

Duration43.7s

Enginepi

✓

Safe to install

This skill is safe to use. No changes required. Ensure the npm package version is pinned in production for supply-chain stability.

Findings 1 items

Severity	Finding	Location
Low	Unpinned npm package dependency Supply Chain The skill relies on npx @lark-project/meego-mcporter without a pinned version. Using version wildcards could lead to unexpected behavior if the package is updated with breaking changes. `npx @lark-project/meego-mcporter auth meegle --config meegle-config.json` → Pin the package version (e.g., npx @lark-project/[email protected]) or document the tested version range	`SKILL.md:40`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	SKILL.md - MCP server at https://meegle.com/mcp_server/v1; npx calls to npm regi…
Filesystem	`READ`	`READ+WRITE`	✓ Aligned	SKILL.md lines 21-26 - reads/writes ~/.mcporter/credentials.json; SKILL.md line …
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md - npx @lark-project/meego-mcporter auth/call commands for OAuth and MCP…
Environment	`NONE`	`NONE`	—	No environment variable access found in any file
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found in any file
Browser	`NONE`	`NONE`	—	Browser OAuth flow described but delegated to mcporter tool; no direct browser a…
Database	`NONE`	`NONE`	—	No database access found in any file

3 findings

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/@lark-project/meego-mcporter

SKILL.md:5

🔗

Medium External URL 外部 URL

https://meegle.com/b/helpcenter/product/5rifl7a7

SKILL.md:94

🔗

Medium External URL 外部 URL

https://meegle.com/mcp_server/v1

meegle-config.json:4

File Tree

3 files · 5.5 KB · 128 lines

Markdown 1f · 115L JSON 2f · 13L

├─ 📋 _meta.json JSON 5L · 135 B

├─ 📋 meegle-config.json JSON 8L · 119 B

└─ 📝 SKILL.md Markdown 115L · 5.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`@lark-project/meego-mcporter`	`*`	npm (npx)	No	Version not pinned; called via npx without explicit version constraint

Security Positives

✓ SKILL.md provides thorough and clear documentation of all capabilities and constraints

✓ Security constraints are explicitly stated: no independent credential operations, user confirmation required for each step, no logging of credential content

✓ No implementation scripts with inline code execution — all functionality delegated to a standard npm tool

✓ No obfuscation, base64-encoded strings, or anti-analysis patterns detected

✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed

✓ No credential harvesting or data exfiltration behavior

✓ MCP server URL points to the official Meegle domain (meegle.com)

✓ OAuth credentials are scoped to the mcporter directory with explicit cleanup requirements

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives