ClawHub

GLM-Master-Skill

v1.0.9

Documentation-only master skill for GLM ecosystem discovery and installation. This skill does not execute scripts or subprocess commands. It provides a curat...

5· 532·1 current·1 all-time
byJared Wen@jaredforreal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is described as a documentation-only index of GLM skills and indeed contains only a catalog and installation guidance. It requests no credentials, binaries, or config paths, which is appropriate for a guide.
Instruction Scope
The SKILL.md contains shell commands (npx, git clone) and install guidance for downstream skills but does not instruct the agent itself to read local files or exfiltrate data. The description says it "does not execute scripts or subprocess commands" — that refers to the skill itself, not the user-facing install commands; this could be mildly confusing to non-technical users.
Install Mechanism
No install spec or code files are bundled. The document recommends using npx and git clone to fetch downstream skills (normal for installation docs). Because it suggests running npx @latest, users should be aware that following those commands downloads code at runtime from npm/GitHub (expected but worth attention).
Credentials
The master skill itself requires no environment variables. It correctly notes that many downstream GLM skills use ZHIPU_API_KEY and gives reasonable best-practice advice for key handling; requesting that key for downstream use is proportional and expected.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system configuration. Autonomous model invocation is allowed by platform default but the skill's content does not exploit that.
Assessment
This skill is a read-only catalog and appears coherent with that purpose. Before following any install commands the skill suggests: (1) review the target repositories' SKILL.md and source code on GitHub so you know what will be installed; (2) prefer pinning versions (avoid indiscriminately using `@latest`) and verify the authenticity of the npm package (clawhub) before running npx; (3) be aware that running `npx` or `git clone` will fetch and execute network code—treat those as normal code-install risks; (4) downstream skills may require ZHIPU_API_KEY—create a limited-scope key and do not commit it to source control; and (5) if you do not want an agent to run shell commands automatically, keep autonomous execution disabled for the agent or explicitly instruct it not to run commands.

Like a lobster shell, security has layers — review code before you run it.

latestvk977885mmhn3g4gdwh643asvc5843qpr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis

Comments