glm-web-search
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s web-search purpose is coherent, but its setup prints and persists a GLM API key in ways users should review before use.
Review this skill before installing. Its search function matches its description, but avoid running the API-key check as written because it can reveal the full key. Use a revocable GLM key, protect or rotate it if exposed, verify the official GLM MCP endpoint, and consider pinning or reviewing mcporter before running npx-based setup.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A GLM API key could be revealed and then used by someone else to access the user’s account or consume paid quota.
This command reads the local GLM API key and prints the full value to command output, which can expose the credential to the agent transcript, logs, or other local observers.
cat ~/.openclaw/config/glm.json ... print(d.get('api_key', ''))Do not run the key-check command as written. Replace it with a boolean existence check or redacted output, use a revocable/least-privileged key, and declare the credential requirement clearly.
The user may run whatever mcporter version npm resolves at that time, so future package changes could affect behavior.
The setup relies on executing mcporter through npx without a pinned version or install specification. This is related to the MCP-search purpose, but the fetched package version is not fixed in the artifacts.
npx -y mcporter --version ... mcporter 可以直接通过 npx 使用,无需安装。
Verify the mcporter package source, prefer a pinned version, and require user approval before first-time setup.
Search terms, and potentially sensitive prompts included in search queries, are sent to GLM’s service.
The skill configures a remote GLM MCP/SSE endpoint and sends search queries through that provider. This is expected for a web-search integration, but it means queries and authentication are handled by a third-party service.
mcporter config add glm-search --type sse --url "https://open.bigmodel.cn/api/mcp/web_search_prime/sse?Authorization=your-key"
Use the skill only for queries you are comfortable sending to the GLM provider, and verify the endpoint and authentication method against official documentation.