ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

glm-web-search

v1.0.6

使用 GLM 联网搜索 MCP 进行网络搜索。触发条件:(1) 用户要求进行网络搜索、在线搜索、查找信息 (2) 需要查询最新资讯、新闻、资料 (3) 使用 GLM 的 web_search 功能

0· 1.8k·30 current·32 all-time
by要啥自行车@thincher
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name/description (GLM web search) align with its actions: it asks for a GLM/智谱 API key, configures a local MCP entry, and calls a web_search MCP tool. Requiring a GLM API key and using an MCP client (mcporter) is expected for this purpose.
Instruction Scope
Instructions stay within the stated purpose (install/use mcporter, store/read a GLM API key in ~/.openclaw/config/glm.json, add and call an MCP server). Two minor inconsistencies: one mcporter URL example uses an SSE endpoint with Authorization as a query parameter, while the MCP configuration section lists a different mcp URL and says Bearer token in headers — you should confirm which form the service expects. The skill instructs writing the API key to a local file, which is expected but worth knowing.
Install Mechanism
No formal install spec in the registry, but the SKILL.md tells users/agents to run 'npx -y mcporter' which fetches and executes a package from the npm registry. This is functionally reasonable for using mcporter but carries the usual moderate risk of executing remote npm code at runtime — verify the mcporter package and publisher before running.
Credentials
The skill requests no environment variables and only asks to read/write a single local config file (~/.openclaw/config/glm.json) to store the GLM API key. That is proportional to the stated purpose. It does not ask for unrelated credentials or broad access.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. Its only persistent action is writing the GLM API key to a local config file under ~/.openclaw, which is within scope for a tool that needs a local API key.
Assessment
This skill appears to do what it says: configure and call GLM's web_search via mcporter. Before installing/using it: 1) Confirm you trust the mcporter npm package and its publisher because the instructions use 'npx' which will fetch and run code from the registry. 2) Verify the exact MCP endpoint and auth method (the SKILL.md shows both an SSE URL with Authorization in the query and a separate mcp URL that expects a Bearer header) and adjust the config so your key is sent securely (prefer Authorization header over embedding secrets in URLs). 3) Be aware the skill will create/modify ~/.openclaw/config/glm.json to store your GLM API key — if you prefer, create that file yourself with the key rather than pasting it into interactive prompts. 4) Only provide your GLM/智谱 API key if you trust the BigModel service and this skill's source; obtain the key from the official site. If you want higher assurance, ask the skill author for the mcporter package name/version they expect and inspect that package before running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bs454wx57nq1p7asb6qs2hx81xcp7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments