glm-web-search
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill instructions direct the user to include a sensitive API key as a query parameter in a URL (
https://open.bigmodel.cn/api/mcp/web_search_prime/sse?Authorization=your-key). Credentials in URLs are easily exposed through server logs, proxy history, and network monitoring. - [CREDENTIALS_UNSAFE]: The skill accesses local files that may contain sensitive information, specifically
~/.openclaw/config/glm.jsonand~/.openclaw/agents/main/agent/auth-profiles.json, to extract or store API keys. - [EXTERNAL_DOWNLOADS]: The skill uses
npx -y mcporter, which downloads and executes the latest version of themcporterpackage from the NPM registry at runtime without version pinning. - [COMMAND_EXECUTION]: Multiple shell commands are utilized to configure the environment and execute the search tool, including piping file contents to Python for parsing (
python3 -c "import json,sys...") and invokingmcporterfor network requests.
Audit Metadata