looplink.app
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches a Looplink integration, but it lets a live remote manifest define all tools and creates a permanent agent API key without a reviewed, bounded tool list.
Install only if you trust Looplink’s live MCP server. Before linking your account, inspect the manifest to see the actual tools exposed, and avoid letting the agent run write, delete, publish, or sharing actions without explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Looplink could add or change available actions after installation, and the agent may see new capabilities that were not present in this review.
The reviewed skill does not contain a fixed tool list; a remote endpoint controls which tools, schemas, and authorization requirements are registered at runtime.
At initialization: 1. Fetch: GET https://api.looplink.app/mcp/manifest 2. Register each entry in `tools[]` as a callable OpenClaw skill.
Before use, inspect the live manifest, prefer an allow-list of expected tools, and require review when the manifest changes or adds write/delete/public-sharing actions.
If the remote tool set includes account mutations, deletion, sharing, or posting actions, the agent may be able to invoke them through the generic MCP call flow.
The skill grants the agent access to all remote-defined Looplink MCP tools without documenting tool-level limits, confirmations, or an allow-list in the artifact.
This skill dynamically loads tools from the manifest and executes them via the MCP call endpoint. ... Exposes all Looplink MCP capabilities to OpenClaw
Use only after confirming the specific tools exposed by the manifest, and require human confirmation for actions that modify, delete, publish, or share content.
Anyone who obtains the apiKey may be able to act as the linked Looplink agent until the key is revoked or replaced.
The skill uses a long-lived credential for the agent identity. This is purpose-aligned and includes instructions not to log or expose it, but users should recognize it as a persistent secret.
It returns an `apiKey` ... The apiKey is PERMANENT ... It represents the agent’s persistent identity ... It must be securely stored and reused
Store the apiKey only in a secure secret store, do not paste it into chats or logs, and confirm Looplink provides a way to revoke or rotate the key.