by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code and instructions broadly match its stated purpose (wiring and testing GLM MCP endpoints) but the published metadata omits required environment variables and binaries and the scripts persist your API key to disk and invoke npx (which downloads remote code), so there are proportion, scope, and disclosure concerns you should understand before installing.
评估建议
This skill appears to do what it says, but there are practical and disclosure concerns you should consider before installing:
- Metadata mismatch: The skill's published metadata does not list required env vars or binaries, but the scripts require a Z.AI-style API key and external tools (mcporter, python3, Node/npm, and optionally Pillow for the vision test). Assume you must have these installed.
- Secret persistence: setup_glm_mcp_servers.py embeds your API key into the mcporter config file (de...详细分析 ▾
⚠ 用途与能力
The skill claims to configure and use Z.AI GLM MCP servers, which legitimately requires a Z.AI API key and tooling like mcporter, Python, and Node/npm. However the registry metadata incorrectly lists no required env vars, no primary credential, and no required binaries, while the shipped scripts clearly read API key env vars and call external binaries (mcporter, npx, python3). This mismatch between declared requirements and actual needs is a material inconsistency.
ℹ 指令范围
SKILL.md and the scripts stay within the stated purpose: generating a mcporter config, inspecting schemas, and performing smoke tests against api.z.ai endpoints. However the runtime steps store the API key in a generated mcporter config file (plain text Authorization header), run subprocesses, and call npx -y @z_ai/mcp-server (which will fetch/execute remote npm code). The scripts also run mcporter calls that will fetch arbitrary URLs (web-reader) and may write a smoke-test report to disk.
ℹ 安装机制
There is no formal install spec (instruction-only), which is low friction. But the vision MCP entry uses 'npx -y @z_ai/mcp-server' which downloads and runs code from the npm registry at runtime — a remote code fetch that increases risk compared with a bundled, reviewed package. No installer network URL or obscure hosts are present in the skill itself.
⚠ 凭证需求
The scripts require an API key (they probe Z_AI_API_KEY, ZAI_API_KEY, GLM_API_KEY, ZHIPU_API_KEY) and then embed that key into the mcporter config as an Authorization Bearer header. Requesting a Z.AI-style key is proportionate to the purpose, but the published metadata failing to declare the required credential and failing to document that the API key will be written to disk is an important omission. No other unrelated secrets are requested.
ℹ 持久化与权限
The skill is not force-installed (always:false) and does not alter other skills. It does persist state: it writes a mcporter config file (default ./tmp/mcporter-glm.json) that includes the Authorization header with your API key, and it writes a smoke test report to disk. That means your secret may be stored in plaintext on the filesystem unless you choose a different path or remove the file.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/4/10
Improve search discoverability: update summary + tags with glm, Z.AI, MCP, vision, web search, web reader, zread, OpenClaw, GLM MCP Server Use
● 无害
安装命令 点击复制
官方npx clawhub@latest install glm-mcp-server-use
镜像加速npx clawhub@latest install glm-mcp-server-use --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制