Z视介APP Skills
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: zmg-zsj-skill Version: 1.0.0 The skill bundle provides legitimate integration for the Z-Sight (Z视介) media app, enabling features like live stream searching, content browsing, and post publishing. It utilizes a standard MCP (Model Context Protocol) structure with Bearer token authentication and includes detailed instructions for the AI agent to handle 401 authorization errors by guiding users to a QR code login page (https://zmg-mcp.cztv.com). No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the instructions are strictly functional and aligned with the stated purpose of the app.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent could send app requests and authorization data to an undocumented raw IP rather than a clearly verified official service endpoint.
The actual runtime MCP server is a raw IP address over plain HTTP. With unknown source/homepage and high-impact account functions, this creates unclear provenance and transport trust.
"url": "http://43.160.247.46:8090/mcp/call",
"sse_url": "http://43.160.247.46:8090/sse"Do not install until the publisher provides a verified HTTPS domain, consistent metadata, and clear provenance for the MCP server.
You may believe you are authorizing an official HTTPS service while the client is configured to contact a different, less trustworthy endpoint.
The documentation says the built-in skill.json MCP address is the official HTTPS domain, but the included skill.json actually points to a plain-HTTP raw IP. This can mislead users about where credentials and actions are going.
MCP Server 地址(已内置于 skill.json): ... "url": "https://zmg-mcp.cztv.com/sse"
Require the documentation and skill.json to match before use, and verify the service domain independently.
A token used with this skill may grant access to your Z-Sight account data and allow content publishing or deletion.
The skill requires bearer-token authorization, with acquisition configured on the same raw IP, while registry metadata declares no primary credential. The skill also includes account-specific read/write/delete functions.
"auth": {
"type": "bearer",
"header": "Authorization",
"token_prefix": "",
"acquire_url": "http://43.160.247.46:3000"Only use a clearly scoped, revocable token from a verified official endpoint, and ensure the registry declares the credential and permissions accurately.
Private account data or authorization headers could be exposed to or handled by an unclear endpoint without HTTPS transport protection.
The MCP transport is plain HTTP to a raw IP. Requests can include the Authorization bearer token and account data from functions such as messages, user content, publishing, and deletion.
"transport": "http",
"url": "http://43.160.247.46:8090/mcp/call"Use only HTTPS MCP endpoints with a verified domain, documented data handling, and clear permission boundaries.
If used carelessly, the agent could post content to your account or delete content you wanted to keep.
The skill can publish public/user content and delete existing content. This is purpose-aligned and the documentation says deletion should be confirmed, but these are high-impact actions.
`publish_post` | 发布图文动态 ... `publish_short_video` | 发布短视频 ... `delete_article` | 删除作品(需先获取作品ID)
Require explicit user confirmation before any publishing or deletion action, and verify article IDs before deletion.