ClawHub

Zulk Short URL Skill

v0.1.4

Premium AI-first URL shortening and management with real-time analytics and team collaboration via MCP. Use when shortening links for marketing, tracking AI...

0· 762·1 current·1 all-time
byMilindu Sanoj Kumarage@agentmilindu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description describe an MCP-backed URL shortener. SKILL.md, README, and the small helper script all focus on adding an MCP server and using OAuth for authentication — these are expected for this purpose. No unrelated services or credentials are requested.
Instruction Scope
Runtime instructions limit actions to: adding an MCP server entry to agent config, initiating an OAuth sign-in, and calling MCP tools to create/list/manage links and analytics. The included configure.sh only prints a JSON snippet and suggests likely config paths; it does not modify files or exfiltrate data.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. However SKILL.md suggests using 'npx mcp-remote ...' (mcp_command). Using npx will fetch/execute a package from the npm registry at runtime — common but worth validating the package (mcp-remote) and its integrity before executing.
Credentials
The skill requests no environment variables or stored credentials in its metadata. Authentication is described as an OAuth browser flow, which is appropriate for an external service and does not require embedding secrets in agent env vars.
Persistence & Privilege
The skill is not force-included (always: false) and does not request persistent system-level privileges. The bundle does not modify other skills or global agent configs; the configure script only prints suggested config JSON for manual addition.
Assessment
This skill is internally consistent with its stated purpose, but before installing: (1) verify the external endpoints (https://mcp.zu.lk and https://zu.lk) and the GitHub repository are legitimate; (2) be cautious about running 'npx mcp-remote' since npx fetches and runs code from npm — inspect the mcp-remote package and its source first; (3) OAuth will open a browser to grant access — check the requested scopes during sign-in; (4) the included configure.sh only prints a suggested MCP JSON snippet and does not write files, but you should manually add configuration to your agent rather than running scripts you haven't audited; (5) if you want to limit risk, do not allow autonomous invocation or restrict the skill to user-invoked only in your agent settings.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ds5g5cj6jcd84t3yy3r6cts82yqqc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments