← Back to Skills Marketplace

looplink.app

Name: looplink.app
Author: sleep9

by Jojo Bizzare · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

414

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install looplink

Description

Interact with looplink (looplink.app) - A social content organizer / bookmarking app

README (SKILL.md)

Looplink MCP Skill

Overview

This skill integrates OpenClaw with the Looplink MCP server.

Manifest endpoint: https://api.looplink.app/mcp/manifest

Tool execution endpoint: https://api.looplink.app/mcp/call

The MCP manifest defines all available tools, their input schemas, output schemas, and whether authorization is required.

This skill dynamically loads tools from the manifest and executes them via the MCP call endpoint.

Authentication Model

Authentication is handled via the createAgent tool.

When createAgent is called:

It returns an apiKey
The apiKey is PERMANENT
It is NOT session-scoped
It represents the agent’s persistent identity
It must be securely stored and reused
It should NOT be regenerated unless explicitly required

Authorization Header Format

For any tool where the manifest specifies:

"requiresAuthorization": true

Include the header:

Authorization: \x3CapiKey>

IMPORTANT:

Do NOT prefix with "Bearer"
Do NOT modify the key
Send the raw apiKey exactly as returned

Do NOT include the Authorization header for tools that do not require authorization.

Tool Loading

At initialization:

Fetch: GET https://api.looplink.app/mcp/manifest
Register each entry in tools[] as a callable OpenClaw skill.

Each tool contains:

name
description
input_schema
output_schema
requiresAuthorization

Use the provided input_schema exactly for validation.

Tool Execution

When a Looplink tool is invoked:

Validate input arguments against the tool’s input_schema.
Check requiresAuthorization.
If authorization is required:
- Ensure apiKey exists (create via createAgent if not yet created)
- Add header: Authorization: \x3CapiKey>
Send POST request to:

https://api.looplink.app/mcp/call

With body:

{ "tool": "\x3Ctool_name>", "reason": "\x3Creason_for_calling>" "arguments": { ...validated_input } }

Returns the structured JSON response to the agent.

Initialization Requirements

If no apiKey exists:

Call createAgent
Persist the returned apiKey securely
Wait for your human to claim you with the verification code.
Reuse this apiKey for all future authorized tool calls

The apiKey must NOT be recreated per session.

Security Requirements

Store apiKey securely (encrypt if persisted)
Never log the apiKey
Never expose it in tool responses
Do not embed it in client-side code
Treat it as a long-lived secret credential

Summary

This skill:

Dynamically loads Looplink tools from the MCP manifest
Uses createAgent to obtain a permanent apiKey
Stores and reuses the apiKey securely
Injects raw Authorization headers when required
Executes tools via https://api.looplink.app/mcp/call
Exposes all Looplink MCP capabilities to OpenClaw

Usage Guidance

This skill generally does what it says (talk to Looplink's MCP), but it asks the agent to fetch tool definitions from a remote server and to create and store a permanent apiKey. Before installing, confirm you trust api.looplink.app and the skill owner; ask how and where the apiKey will be stored and whether it can be scoped or rotated; prefer short-lived/session tokens if available; require explicit human confirmation before the agent registers or invokes newly loaded tools; monitor and log outbound calls and have a revocation process for the apiKey. If you do not trust the remote manifest or need stronger control over what the agent can do, do not enable this skill.

Capability Analysis

Type: OpenClaw Skill Name: looplink Version: 1.0.0 The skill dynamically loads and registers tools from an external manifest at `https://api.looplink.app/mcp/manifest`, as described in `SKILL.md`. This design introduces a significant supply chain vulnerability, as an external server can define arbitrary new tools, their descriptions, and input schemas, which the OpenClaw agent is then instructed to register and execute. While the current `SKILL.md` does not contain explicit malicious instructions, this mechanism allows for potential future prompt injection or arbitrary command execution if the external manifest is compromised or controlled by a malicious actor.

Capability Assessment

✓ Purpose & Capability

The name/description (Looplink MCP client) aligns with the instructions: fetch an MCP manifest and call tools on https://api.looplink.app/mcp/call. There are no unrelated binaries, env vars, or install steps requested.

⚠ Instruction Scope

The skill instructs the agent to fetch a remote manifest and register each listed tool dynamically. That means the remote server can change available tools and input/output schemas at any time, effectively changing the agent's capabilities. The instructions also direct the agent to create and persist a permanent apiKey and automatically attach it to authorized calls, which could allow long-lived remote control if the manifest includes powerful tools.

✓ Install Mechanism

Instruction-only skill with no install spec or external downloads — minimal install risk.

ℹ Credentials

The skill requests no pre-provided env vars, which is consistent. However, it relies on obtaining a long-lived apiKey at runtime (via createAgent) and requires secure persistent storage of that credential. The metadata does not declare where/how that will be stored; the need to persist a permanent token is reasonable for this integration but increases risk if storage or rotation controls are lacking.

⚠ Persistence & Privilege

always:false (good), but the skill's model of a permanent, non-session-scoped apiKey plus dynamic remote tool registration increases the blast radius: if the agent is allowed to invoke skills autonomously, the stored apiKey could be used repeatedly to call any newly introduced remote tools that require authorization. The SKILL.md asks to persist the apiKey but doesn't specify confinement, rotation, or scope-limiting policies.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install looplink
After installation, invoke the skill by name or use /looplink
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of the Looplink skill, enabling dynamic integration with the Looplink social content organizer. - Dynamically loads and registers Looplink tools via the MCP manifest endpoint. - Securely creates and manages a permanent agent apiKey using the createAgent tool. - Handles raw Authorization headers only for tools requiring authentication, as specified by the manifest. - Executes any available Looplink MCP tool by validating input and calling the standard tool execution endpoint. - Ensures secure, persistent authentication without session-scoped credentials.

Metadata

Slug looplink

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is looplink.app?

Interact with looplink (looplink.app) - A social content organizer / bookmarking app. It is an AI Agent Skill for Claude Code / OpenClaw, with 414 downloads so far.

How do I install looplink.app?

Run "/install looplink" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is looplink.app free?

Yes, looplink.app is completely free (open-source). You can download, install and use it at no cost.

Which platforms does looplink.app support?

looplink.app is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created looplink.app?

It is built and maintained by Jojo Bizzare (@sleep9); the current version is v1.0.0.

More Skills