中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:20 小时前 重新扫描
15 /100
meegle-connector
Connect to Meegle via MCP service, support OAuth authentication, and enable querying and managing work items, views, etc.
A well-documented MCP connector for Meegle with explicit security constraints around credential handling and no hidden functionality beyond declared network/filesystem access.
技能名称meegle-connector
分析耗时43.7s
引擎pi
可以安装
This skill is safe to use. No changes required. Ensure the npm package version is pinned in production for supply-chain stability.

安全发现 1 项

严重性 安全发现 位置
低危
Unpinned npm package dependency 供应链
The skill relies on npx @lark-project/meego-mcporter without a pinned version. Using version wildcards could lead to unexpected behavior if the package is updated with breaking changes.
npx @lark-project/meego-mcporter auth meegle --config meegle-config.json
→ Pin the package version (e.g., npx @lark-project/[email protected]) or document the tested version range
 SKILL.md:40
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md - MCP server at https://meegle.com/mcp_server/v1; npx calls to npm regi…
文件系统 READ READ+WRITE ✓ 一致 SKILL.md lines 21-26 - reads/writes ~/.mcporter/credentials.json; SKILL.md line …
命令执行 WRITE WRITE ✓ 一致 SKILL.md - npx @lark-project/meego-mcporter auth/call commands for OAuth and MCP…
环境变量 NONE NONE No environment variable access found in any file
技能调用 NONE NONE No cross-skill invocation found
剪贴板 NONE NONE No clipboard access found in any file
浏览器 NONE NONE Browser OAuth flow described but delegated to mcporter tool; no direct browser a…
数据库 NONE NONE No database access found in any file
3 项发现
🔗
中危 外部 URL 外部 URL
https://www.npmjs.com/package/@lark-project/meego-mcporter
SKILL.md:5
🔗
中危 外部 URL 外部 URL
https://meegle.com/b/helpcenter/product/5rifl7a7
SKILL.md:94
🔗
中危 外部 URL 外部 URL
https://meegle.com/mcp_server/v1
meegle-config.json:4

目录结构

3 文件 · 5.5 KB · 128 行
Markdown 1f · 115L JSON 2f · 13L
├─ 📋 _meta.json JSON 5L · 135 B
├─ 📋 meegle-config.json JSON 8L · 119 B
└─ 📝 SKILL.md Markdown 115L · 5.3 KB

依赖分析 1 项

包名版本来源已知漏洞备注
@lark-project/meego-mcporter * npm (npx) Version not pinned; called via npx without explicit version constraint

安全亮点

✓ SKILL.md provides thorough and clear documentation of all capabilities and constraints
✓ Security constraints are explicitly stated: no independent credential operations, user confirmation required for each step, no logging of credential content
✓ No implementation scripts with inline code execution — all functionality delegated to a standard npm tool
✓ No obfuscation, base64-encoded strings, or anti-analysis patterns detected
✓ No sensitive paths (~/.ssh, ~/.aws, .env) are accessed
✓ No credential harvesting or data exfiltration behavior
✓ MCP server URL points to the official Meegle domain (meegle.com)
✓ OAuth credentials are scoped to the mcporter directory with explicit cleanup requirements