ZenStudio CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with ZenStudio content creation, but it exposes a broad “call any MCP tool” escape hatch that deserves careful review before use.
Install only if you trust the ZenStudio CLI package and need it to manage ZenStudio content. Use a limited API key where possible, protect the saved config file, and require explicit confirmation before arbitrary MCP tool calls, canvas overwrite/delete actions, or other account-changing operations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using the stored ZenStudio credentials could call broader backend tools than the curated commands, potentially changing projects, assets, or other platform state unintentionally.
The skill documents a generic pass-through for calling any MCP tool, without an artifact-scoped allowlist or clear approval boundary for potentially mutating operations.
通用透传(调用任意 MCP 工具)... zencli tools call <tool_name> --arg key=value [--json-args '{}']Prefer the named zencli commands. Only use tools call after explicitly reviewing tools describe output and confirming the exact tool name, arguments, and expected side effects with the user.
A mistaken canvas ID, delete list, or overwrite mode could immediately affect a shared working canvas.
Canvas edits are disclosed as immediately visible to viewers, and the command supports deletion and full overwrite modes.
`build-draft` 实时生效:写入后正在查看画布的用户会立即看到变更 ... 删除用 `-d`,全量覆盖用 `--mode overwrite`
Confirm the canvas ID, mode, and affected nodes before running build-draft, especially with -d or --mode overwrite.
Anyone or any process with access to that config file may be able to use the ZenStudio account privileges granted by the API key.
The skill requires a ZenStudio API key and persists it locally for CLI authentication; this is disclosed and purpose-aligned.
`zencli auth login --token <YOUR_API_KEY>` ... `auth login` 自动将 Token 写入配置文件 ... `~/.zencli/config.json`
Use a least-privilege API key if available, protect the config directory, and rotate or remove the key when no longer needed.
Installing or migrating to an npm package runs code from that package ecosystem; the replacement package is not reviewed here.
The skill relies on external npm packages, and the replacement WorkRally install shown in the documentation is a separate package not represented by this skill's pinned install spec.
`npm install -g zenstudio-cli@1.3.7` ... 新 CLI: `npm install -g workrally`
Verify the npm package publisher and version before installing, and review the separate WorkRally skill/package if migrating.