ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

looplink.app

v1.0.0

Interact with looplink (looplink.app) - A social content organizer / bookmarking app

0· 299·0 current·0 all-time
byJojo Bizzare@sleep9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Looplink MCP client) aligns with the instructions: fetch an MCP manifest and call tools on https://api.looplink.app/mcp/call. There are no unrelated binaries, env vars, or install steps requested.
!
Instruction Scope
The skill instructs the agent to fetch a remote manifest and register each listed tool dynamically. That means the remote server can change available tools and input/output schemas at any time, effectively changing the agent's capabilities. The instructions also direct the agent to create and persist a permanent apiKey and automatically attach it to authorized calls, which could allow long-lived remote control if the manifest includes powerful tools.
Install Mechanism
Instruction-only skill with no install spec or external downloads — minimal install risk.
Credentials
The skill requests no pre-provided env vars, which is consistent. However, it relies on obtaining a long-lived apiKey at runtime (via createAgent) and requires secure persistent storage of that credential. The metadata does not declare where/how that will be stored; the need to persist a permanent token is reasonable for this integration but increases risk if storage or rotation controls are lacking.
!
Persistence & Privilege
always:false (good), but the skill's model of a permanent, non-session-scoped apiKey plus dynamic remote tool registration increases the blast radius: if the agent is allowed to invoke skills autonomously, the stored apiKey could be used repeatedly to call any newly introduced remote tools that require authorization. The SKILL.md asks to persist the apiKey but doesn't specify confinement, rotation, or scope-limiting policies.
What to consider before installing
This skill generally does what it says (talk to Looplink's MCP), but it asks the agent to fetch tool definitions from a remote server and to create and store a permanent apiKey. Before installing, confirm you trust api.looplink.app and the skill owner; ask how and where the apiKey will be stored and whether it can be scoped or rotated; prefer short-lived/session tokens if available; require explicit human confirmation before the agent registers or invokes newly loaded tools; monitor and log outbound calls and have a revocation process for the apiKey. If you do not trust the remote manifest or need stronger control over what the agent can do, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734kwyq6z8thdsaf4ssrnzfx820mar

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Looplink MCP Skill

Overview

This skill integrates OpenClaw with the Looplink MCP server.

Manifest endpoint: https://api.looplink.app/mcp/manifest

Tool execution endpoint: https://api.looplink.app/mcp/call

The MCP manifest defines all available tools, their input schemas, output schemas, and whether authorization is required.

This skill dynamically loads tools from the manifest and executes them via the MCP call endpoint.

Authentication Model

Authentication is handled via the createAgent tool.

When createAgent is called:

  • It returns an apiKey
  • The apiKey is PERMANENT
  • It is NOT session-scoped
  • It represents the agent’s persistent identity
  • It must be securely stored and reused
  • It should NOT be regenerated unless explicitly required

Authorization Header Format

For any tool where the manifest specifies:

"requiresAuthorization": true

Include the header:

Authorization: <apiKey>

IMPORTANT:

  • Do NOT prefix with "Bearer"
  • Do NOT modify the key
  • Send the raw apiKey exactly as returned

Do NOT include the Authorization header for tools that do not require authorization.

Tool Loading

At initialization:

  1. Fetch: GET https://api.looplink.app/mcp/manifest

  2. Register each entry in tools[] as a callable OpenClaw skill.

Each tool contains:

  • name
  • description
  • input_schema
  • output_schema
  • requiresAuthorization

Use the provided input_schema exactly for validation.

Tool Execution

When a Looplink tool is invoked:

  1. Validate input arguments against the tool’s input_schema.

  2. Check requiresAuthorization.

  3. If authorization is required:

    • Ensure apiKey exists (create via createAgent if not yet created)
    • Add header: Authorization: <apiKey>

  4. Send POST request to:

    https://api.looplink.app/mcp/call

With body:

{ "tool": "<tool_name>", "reason": "<reason_for_calling>" "arguments": { ...validated_input } }

  1. Returns the structured JSON response to the agent.

Initialization Requirements

If no apiKey exists:

  1. Call createAgent
  2. Persist the returned apiKey securely
  3. Wait for your human to claim you with the verification code.
  4. Reuse this apiKey for all future authorized tool calls

The apiKey must NOT be recreated per session.

Security Requirements

  • Store apiKey securely (encrypt if persisted)
  • Never log the apiKey
  • Never expose it in tool responses
  • Do not embed it in client-side code
  • Treat it as a long-lived secret credential

Summary

This skill:

  • Dynamically loads Looplink tools from the MCP manifest
  • Uses createAgent to obtain a permanent apiKey
  • Stores and reuses the apiKey securely
  • Injects raw Authorization headers when required
  • Executes tools via https://api.looplink.app/mcp/call
  • Exposes all Looplink MCP capabilities to OpenClaw

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…