← Back to Skills Marketplace
148
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zstack-mcp
Description
ZStack Cloud MCP Server integration for OpenClaw. Enables AI to query and execute ZStack APIs (2000+ endpoints) with authentication management and read-only...
Usage Guidance
This skill implements a legitimate ZStack MCP integration but contains clear red flags you should address before installing or enabling it:
- The package includes config/zstack.env with a plaintext admin password and an internal API URL. Do not use those credentials. Remove or overwrite config/zstack.env before running any scripts and rotate any real credentials if you accidentally used them.
- The published metadata says no env vars are required, but the SKILL.md and scripts use ZSTACK_API_URL, ZSTACK_ACCOUNT, ZSTACK_PASSWORD or ZSTACK_SESSION_ID. Expect to supply these; verify where they will be stored (the scripts save them into ~/clawd/skills/zstack-mcp/config/zstack.env and add them to your mcporter config).
- The scripts will modify your mcporter configuration file in your home directory. Inspect the scripts to confirm they only add the expected entry. Keep backups of mcporter config (scripts already create a .bak) and review the resulting JSON before trusting it.
- Keep write operations disabled (do not set ZSTACK_ALLOW_ALL_API=true) unless you fully trust the environment and want the skill to perform destructive actions.
- If you decide to proceed: (1) clone the repo into a safe place, (2) delete or sanitize config/zstack.env, (3) run configure.sh interactively to provide your own credentials (or supply a session ID), and (4) inspect the mcporter config changes created by register-mcp.sh before using them. Consider running initial tests in an isolated environment and verify the upstream pip package (zstack-mcp-server) is the expected project from its maintainers.
Capability Analysis
Type: OpenClaw Skill
Name: zstack-mcp
Version: 1.0.0
The skill manages sensitive ZStack Cloud credentials and stores them in plain text within 'config/zstack.env', which is a significant security risk. It provides scripts ('configure.sh' and 'register-mcp.sh') to automate the setup of an MCP server with broad access to over 2000 cloud API endpoints, including a mechanism to bypass read-only safety via the 'ZSTACK_ALLOW_ALL_API' flag. Additionally, the bundle includes a hardcoded password ('AIOS@rootpswd123') in the provided configuration file, which could lead to unauthorized access if not properly updated by the user.
Capability Assessment
Purpose & Capability
The skill's name, description, scripts, and examples all align with providing a ZStack MCP integration and registering it with mcporter. However, the registry metadata claims 'required env vars: none' while SKILL.md and the scripts clearly expect and use ZSTACK_API_URL, ZSTACK_ACCOUNT, ZSTACK_PASSWORD or ZSTACK_SESSION_ID. Shipping a pre-filled config/zstack.env with an API URL and admin password is disproportionate to a general-purpose distribution (it embeds target-specific credentials).
Instruction Scope
Runtime instructions direct the agent/user to run interactive configuration, to save credentials into ~/clawd/skills/zstack-mcp/config/zstack.env, and to automatically update the user's mcporter config (~/.clawd/config/mcporter.json or ~/.team-os/mcp.json). Those actions are within the stated purpose (registering the MCP server) but they expand scope by persisting credentials and modifying user config files in the home directory. The SKILL.md also instructs use of curl requests and test commands that include credentials — all expected for this skill but worth noting because sensitive data is written to disk.
Install Mechanism
There is no aggressive install spec; SKILL.md recommends pip/pipx to install the upstream zstack-mcp-server package (a normal public registry flow). This is low-to-moderate risk. Nothing is downloaded from arbitrary shorteners or unknown URLs. However the repository bundle itself includes a pre-populated config file containing credentials, which increases practical risk during 'install' (copying the repo), even though the install mechanism is otherwise reasonable.
Credentials
The skill requires credentials (username/password or session ID) to function, which is appropriate, but the package contradicts registry metadata by not declaring required env vars. Worse, config/zstack.env in the package contains a plaintext ZSTACK_PASSWORD and ZSTACK_API_URL pointing at an internal IP (172.20.0.36) and an administrative password: 'AIOS@rootpswd123'. Bundling such credentials with a skill is unnecessary and dangerous — it may leak credentials or confuse users into using built-in credentials. The scripts will write credentials into the user's mcporter config, exposing them to any process that reads that file.
Persistence & Privilege
The skill does persist configuration to disk (skill-local config and modifies mcporter config in the user's home). It does not request 'always: true' and does not autonomously elevate privileges. Persisting credentials into home config is expected for an integration but increases attack surface and should be treated cautiously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zstack-mcp - After installation, invoke the skill by name or use
/zstack-mcp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of zstack-mcp skill for OpenClaw:
- Integrates ZStack Cloud MCP Server, enabling AI to query and execute over 2000 ZStack APIs with authentication management.
- Provides secure, read-only access by default; write API calls require explicit opt-in.
- Includes user-friendly setup scripts, comprehensive configuration and troubleshooting guides.
- Supports flexible authentication (username/password or session), environment-based configuration, and response size limits for safety.
- Offers example command usage for searching, describing, executing APIs, and querying monitoring metrics.
Metadata
Frequently Asked Questions
What is Zstack Mcp?
ZStack Cloud MCP Server integration for OpenClaw. Enables AI to query and execute ZStack APIs (2000+ endpoints) with authentication management and read-only... It is an AI Agent Skill for Claude Code / OpenClaw, with 148 downloads so far.
How do I install Zstack Mcp?
Run "/install zstack-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zstack Mcp free?
Yes, Zstack Mcp is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Zstack Mcp support?
Zstack Mcp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zstack Mcp?
It is built and maintained by 徐阳波 (@xybstone); the current version is v1.0.0.
More Skills