uno
v3.0.0Call 2000+ tools via curl, zero installation. Supports tool-level semantic search — get full inputSchema in one step and invoke directly. Covers search, dev,...
⭐ 0· 203·1 current·1 all-time
byAgentrix@lxyd-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (search + invoke many tools via REST) matches the SKILL.md: it describes search-tools, call-tool, and related endpoints on https://mcpmarket.cn. There are no unrelated credentials or surprising binaries requested.
Instruction Scope
The instructions explicitly instruct the agent to create ~/.uno, write a bearer token to ~/.uno/token, and read that file for subsequent calls. The registry metadata did not declare any required config paths, so the SKILL.md reads/writes a user-home path that is not declared in the manifest. This is functionally legitimate for storing an API token but should be noted because the skill will persist a token on disk.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only and relies on curl. This is low-risk from an install standpoint (nothing is downloaded/executed by the skill itself).
Credentials
The skill declares no required environment variables or primary credential, yet its runtime flow obtains and persists an access token via an OAuth device flow. Requesting and storing a single bearer token is proportional to the stated purpose, but the token file and OAuth flow are not represented in the registry metadata (no primaryEnv, no required config path).
Persistence & Privilege
always is false and the skill does not request permanent platform-level privileges. The only persistence is the token file in ~/.uno (its own directory). The skill does not modify other skills or system-wide agent settings.
Assessment
This skill is internally consistent with its description: it queries and invokes MCPMarket tools via the public API. Before installing, consider: (1) the skill will run an OAuth device flow and store a bearer token at ~/.uno/token — review what scopes the token grants and whether you trust https://mcpmarket.cn; (2) the registry metadata did not list the config path or the need for curl (the SKILL.md requires curl and writes to ~/.uno), so expect the skill to create/read that file; (3) invoking tools via this marketplace may in turn trigger downstream auth flows for third-party services — be cautious when authorizing those; (4) if you want to limit blast radius, create a dedicated account for this marketplace and review token scopes, or avoid authorizing downstream services you don't trust. Overall the skill appears coherent, but validate the provider and OAuth scopes before giving it access.Like a lobster shell, security has layers — review code before you run it.
latestvk976w6abf7zafktnwrfwk1a1s583vsjm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.