Zulk Short URL Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a disclosed Zu.lk MCP integration, but installing it gives an authenticated agent link-management, analytics, and team-membership powers that users should review before use.
This skill is purpose-aligned for Zu.lk URL shortening and analytics. Before installing, confirm you trust the Zu.lk MCP endpoint, connect only the intended account, and ask the agent to get explicit confirmation before updating links or changing organization membership and roles.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change who has access to an organization or alter where existing short links send visitors.
The MCP tool list includes account/team membership changes and link updates, which are powerful actions even though they match the stated team link-management purpose.
`zulk_add_organization_member(... role?: "MANAGER" | "ADMIN" | "OWNER")`, `zulk_update_member_role(...)`, `zulk_remove_organization_member(...)`, and `zulk_update_link(...)`
Use this only with clear user requests, and require explicit confirmation before changing link destinations, adding or removing members, or granting ADMIN/OWNER roles.
The agent may access and modify Zu.lk resources available to the authenticated account, including organization links and analytics.
The skill requires OAuth login so the MCP server can act on the user's Zu.lk account; this is disclosed and expected for the integration.
Authentication: "When you first run a command like \"shorten this link\", the agent will present an OAuth URL. Follow the link to authenticate."
Authenticate only to the intended Zu.lk account and review what organization permissions that account has before enabling the skill.
Using the stdio option may depend on whatever package version npx resolves at setup time.
The optional stdio configuration uses npx to fetch/run a bridge package without a pinned version, though the recommended HTTP configuration does not require this.
"command": "npx", "args": ["mcporter", "https://mcp.zu.lk/mcp"]
Prefer the recommended HTTPS MCP configuration when possible, or pin and review any npx bridge package before using it.
URLs, organization identifiers, analytics requests, and related account actions may be sent to Zu.lk's MCP service.
The agent communicates with an external MCP provider to perform link and analytics operations; this is central to the skill and disclosed.
`mcp_url: https://mcp.zu.lk/mcp` and configuration example `{ "url": "https://mcp.zu.lk/mcp" }`Avoid sending confidential or internal URLs unless you are comfortable managing them through Zu.lk and its MCP service.