GLM-Master-Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a guide-only GLM skill catalog; it does not include code, but users should review downstream installs and API-key use before following the instructions.
This skill looks safe as a documentation-only catalog. Before following its commands, review the individual GLM skills you plan to install and use a limited, well-protected API key for any downstream skill that requires one.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the guide may install other skills or software into the user's agent environment.
The skill provides user-directed commands for installing downstream skills, including use of an @latest package reference. This is purpose-aligned for an installation guide, but users should still trust and review downstream packages before installing them.
npx clawhub@latest install <skill-name>
Install only the downstream GLM skills you need, verify their source and permissions, and review each downstream skill's own artifacts before use.
If the user installs downstream GLM skills, those skills may access the user's Zhipu/GLM account through the configured API key.
The master skill itself does not request or use credentials, but it informs users that downstream skills may require an API key. API keys are sensitive account credentials, so users should scope and store them carefully.
Most GLM skills require the environment variable `ZHIPU_API_KEY`. This master skill itself does **not** read or use the key, but downstream skills will.
Use a limited-scope API key when possible, store it only in environment variables or a secure secret store, and review each downstream skill's credential handling before installation.