GLM MCP Server Use

This skill appears to do what it says, but there are practical and disclosure concerns you should consider before installing: - Metadata mismatch: The skill's published metadata does not list required env vars or binaries, but the scripts require a Z.AI-style API key and external tools (mcporter, python3, Node/npm, and optionally Pillow for the vision test). Assume you must have these installed. - Secret persistence: setup_glm_mcp_servers.py embeds your API key into the mcporter config file (defaults to ./tmp/mcporter-glm.json). That file contains a Bearer token header in plaintext. If you install/run this, either point --config to a safe path, delete the generated file after use, or use a limited-scope API key. - Remote code download: The vision entry uses 'npx -y @z_ai/mcp-server' which will pull and execute code from the npm registry at runtime. If you require stricter controls, review the @z_ai/mcp-server package source (and its version) before allowing npx to run. - Network calls: The smoke test and normal use will make requests to api.z.ai endpoints and to whatever URLs you pass to the web-reader; don't feed sensitive internal URLs unless you intend to expose them to Z.AI. - Recommended mitigations: run in an isolated environment (container or dedicated VM), inspect the generated mcporter config before running calls, use a limited/replaceable API key, and confirm you have the expected tooling (mcporter, Node >=22 for @z_ai/mcp-server, python3 and Pillow). Also ask the publisher to correct the registry metadata to declare required env vars and binaries so future reviewers aren't surprised. Given these issues the skill is coherent with its stated purpose but the omissions and secret persistence are meaningful risks — proceed only after you review and mitigate them.