Elastolink Meeting Skills
v1.0.0Elastolink 魔簧会议助手 MCP 服务器。Use when working with the elastolink project at D:\workspace\demo\elastolink or when needing to call elastolink MCP tools. Triggers...
⭐ 0· 64·0 current·0 all-time
byNeo Chan@netkiller
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill claims to manage Elastolink MCP calls and the provided scripts and documentation match that purpose (HTTP POSTs to dev.ideasprite.com/mcp, JSON-RPC tool calls, local .env/.session). However, the skill metadata declares no required binaries while all runtime instructions assume node is available and use absolute Windows paths (D:\workspace\demo\elastolink), which is an operational inconsistency that may cause failures on systems without Node.js or a different filesystem layout.
Instruction Scope
SKILL.md instructs only to run the included node scripts, check/save a token at the project .env, and parse JSON results — all within the stated domain (MCP tools). The instructions do read and write local files (.env and .session) and send the token to the MCP server, which is expected behavior for this integration and not out of scope.
Install Mechanism
No install spec is provided (instruction-only with local scripts). This is low-risk from an install perspective because nothing is downloaded or extracted by the skill itself. Runtime requires Node.js but that requirement is not declared in the registry metadata.
Credentials
The skill requests no environment variables in metadata, but it uses and manages a local token stored in D:\workspace\demo\elastolink\.env (ELASTOLINK_TOKEN) and sends it to dev.ideasprite.com as a Bearer token — this is proportional to the stated purpose. Users should note the token is stored in plaintext in a project .env file and transmitted to the remote MCP server; the metadata omission of 'node' and of any required env var is a minor mismatch.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It persists a session ID and token under its own project path, which is normal for this kind of connector.
Assessment
What to consider before installing:
- This skill runs local Node.js scripts (mcp-call.cjs, get-token.cjs, set-token.cjs). Ensure Node.js is available on the machine where the agent will run (metadata does not list this requirement).
- The skill reads and writes a token at D:\workspace\demo\elastolink\.env and a session file at D:\workspace\demo\elastolink\.session. Confirm you are comfortable storing the ELASTOLINK_TOKEN in plaintext at that path and that the agent process has appropriate file permissions.
- The token will be sent as Authorization: Bearer <token> to dev.ideasprite.com/mcp. Only install if you trust that endpoint and the operator behind it.
- The SKILL.md and scripts use absolute Windows paths; on non-Windows systems or different project locations the scripts will fail or need editing. Consider editing SKILL.md/scripts to use relative paths or an environment variable for the project path.
- Source metadata is limited (registry source unknown); package.json references a GitHub URL — verify the upstream repository and maintainer if provenance matters to you.
- If you want stricter handling of secrets, modify the scripts to avoid plain-file storage (use OS keyring, scoped environment variables, or explicit user prompt each session) before installing.
Overall, the skill appears internally consistent with its stated function and contains no signs of obfuscated or unrelated behavior, but exercise the usual caution around storing and transmitting API tokens and ensure Node.js and correct file paths are present.Like a lobster shell, security has layers — review code before you run it.
latestvk9744vq16fz7rz6kr3mre91hdh84dz13
License
MIT-0
Free to use, modify, and redistribute. No attribution required.