← 返回 Skills 市场

GLM MCP Server Use

Name: GLM MCP Server Use
Author: conanwhf

作者 conanwhf · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

130

总下载

当前安装

版本数

在 OpenClaw 中安装

/install glm-mcp-server-use

功能描述

GLM MCP Server Use for OpenClaw. Configure and use the 4 official Z.AI / GLM MCP servers (vision, web search, web reader, zread) with environment-variable AP...

使用说明 (SKILL.md)

GLM MCP Server Use

Overview

This skill provides a practical workflow to install, validate, and use the 4 official GLM MCP servers in OpenClaw:

Vision MCP (local stdio via @z_ai/mcp-server)
Web Search MCP (remote HTTP)
Web Reader MCP (remote HTTP)
Zread MCP (remote HTTP)

It also includes scripts to read API key from environment variables, generate mcporter config, and run a smoke test.

Quick Start

From this skill directory:

export Z_AI_API_KEY="your_zai_api_key"
python3 scripts/setup_glm_mcp_servers.py --config ./tmp/mcporter-glm.json
python3 scripts/smoke_test_glm_mcp.py --config ./tmp/mcporter-glm.json

Smoke test report will be written to ./tmp/glm-mcp-smoke-report.json.

API Key Resolution

setup_glm_mcp_servers.py resolves API key from environment variables in this order:

Z_AI_API_KEY
ZAI_API_KEY
GLM_API_KEY
ZHIPU_API_KEY You can check key availability without exposing full token:

python3 scripts/get_zai_api_key.py --masked

Installed MCP Entries

The setup script writes these mcporter servers:

web-search-prime → https://api.z.ai/api/mcp/web_search_prime/mcp
web-reader → https://api.z.ai/api/mcp/web_reader/mcp
zread → https://api.z.ai/api/mcp/zread/mcp
zai-vision → stdio npx -y @z_ai/mcp-server (with Z_AI_API_KEY, Z_AI_MODE=ZAI)

Validation Workflow

1) Inspect real schemas first

mcporter --config ./tmp/mcporter-glm.json list web-reader --schema --json
mcporter --config ./tmp/mcporter-glm.json list web-search-prime --schema --json
mcporter --config ./tmp/mcporter-glm.json list zread --schema --json
mcporter --config ./tmp/mcporter-glm.json list zai-vision --schema --json

2) Minimal call examples

mcporter --config ./tmp/mcporter-glm.json call web-search-prime.web_search_prime search_query="GLM-5.1 release notes"
mcporter --config ./tmp/mcporter-glm.json call web-reader.webReader url="https://example.com"
mcporter --config ./tmp/mcporter-glm.json call zread.get_repo_structure repo_name="microsoft/vscode"
mcporter --config ./tmp/mcporter-glm.json call zai-vision.analyze_image image_source="/path/to/image.png" prompt="Describe key elements"

Important Runtime Notes

Actual tool names can differ from docs examples. Always trust --schema output from live server.
Search tool currently exposes web_search_prime and requires search_query.
Zread calls require repo_name (not repo).
Web Reader may return anti-bot or verification content for protected pages (for example some WeChat links).

Troubleshooting

Tool not found: check exact tool name from mcporter ... --schema --json.
parameter error: verify argument names match schema exactly.
Empty/strange reader content: target page may block scraping or require interactive verification.
Vision local server issues: verify Node.js >= 22 and rerun with latest @z_ai/mcp-server.

Resources

Server matrix and endpoint notes: references/official-endpoints.md
Tested behavior record: references/test-report.md
Scripts: scripts/

安全使用建议

This skill appears to do what it says, but there are practical and disclosure concerns you should consider before installing: - Metadata mismatch: The skill's published metadata does not list required env vars or binaries, but the scripts require a Z.AI-style API key and external tools (mcporter, python3, Node/npm, and optionally Pillow for the vision test). Assume you must have these installed. - Secret persistence: setup_glm_mcp_servers.py embeds your API key into the mcporter config file (defaults to ./tmp/mcporter-glm.json). That file contains a Bearer token header in plaintext. If you install/run this, either point --config to a safe path, delete the generated file after use, or use a limited-scope API key. - Remote code download: The vision entry uses 'npx -y @z_ai/mcp-server' which will pull and execute code from the npm registry at runtime. If you require stricter controls, review the @z_ai/mcp-server package source (and its version) before allowing npx to run. - Network calls: The smoke test and normal use will make requests to api.z.ai endpoints and to whatever URLs you pass to the web-reader; don't feed sensitive internal URLs unless you intend to expose them to Z.AI. - Recommended mitigations: run in an isolated environment (container or dedicated VM), inspect the generated mcporter config before running calls, use a limited/replaceable API key, and confirm you have the expected tooling (mcporter, Node >=22 for @z_ai/mcp-server, python3 and Pillow). Also ask the publisher to correct the registry metadata to declare required env vars and binaries so future reviewers aren't surprised. Given these issues the skill is coherent with its stated purpose but the omissions and secret persistence are meaningful risks — proceed only after you review and mitigate them.

功能分析

Type: OpenClaw Skill Name: glm-mcp-server-use Version: 1.0.2 The skill bundle is a legitimate utility for configuring and validating official GLM (Zhipu AI) MCP servers. It includes scripts (setup_glm_mcp_servers.py, smoke_test_glm_mcp.py) that use the mcporter CLI to wire endpoints like api.z.ai and run diagnostic tests. While it handles sensitive API keys from environment variables, it does so transparently for configuration purposes without evidence of exfiltration or unauthorized execution.

能力评估

⚠ Purpose & Capability

The skill claims to configure and use Z.AI GLM MCP servers, which legitimately requires a Z.AI API key and tooling like mcporter, Python, and Node/npm. However the registry metadata incorrectly lists no required env vars, no primary credential, and no required binaries, while the shipped scripts clearly read API key env vars and call external binaries (mcporter, npx, python3). This mismatch between declared requirements and actual needs is a material inconsistency.

ℹ Instruction Scope

SKILL.md and the scripts stay within the stated purpose: generating a mcporter config, inspecting schemas, and performing smoke tests against api.z.ai endpoints. However the runtime steps store the API key in a generated mcporter config file (plain text Authorization header), run subprocesses, and call npx -y @z_ai/mcp-server (which will fetch/execute remote npm code). The scripts also run mcporter calls that will fetch arbitrary URLs (web-reader) and may write a smoke-test report to disk.

ℹ Install Mechanism

There is no formal install spec (instruction-only), which is low friction. But the vision MCP entry uses 'npx -y @z_ai/mcp-server' which downloads and runs code from the npm registry at runtime — a remote code fetch that increases risk compared with a bundled, reviewed package. No installer network URL or obscure hosts are present in the skill itself.

⚠ Credentials

The scripts require an API key (they probe Z_AI_API_KEY, ZAI_API_KEY, GLM_API_KEY, ZHIPU_API_KEY) and then embed that key into the mcporter config as an Authorization Bearer header. Requesting a Z.AI-style key is proportionate to the purpose, but the published metadata failing to declare the required credential and failing to document that the API key will be written to disk is an important omission. No other unrelated secrets are requested.

ℹ Persistence & Privilege

The skill is not force-installed (always:false) and does not alter other skills. It does persist state: it writes a mcporter config file (default ./tmp/mcporter-glm.json) that includes the Authorization header with your API key, and it writes a smoke test report to disk. That means your secret may be stored in plaintext on the filesystem unless you choose a different path or remove the file.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install glm-mcp-server-use
安装完成后，直接呼叫该 Skill 的名称或使用 /glm-mcp-server-use 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

Improve search discoverability: update summary + tags with glm, Z.AI, MCP, vision, web search, web reader, zread, OpenClaw, GLM MCP Server Use

v1.0.1

Switch to env-only API key flow for OpenClaw (remove ~/.claude.json fallback)

v1.0.0

Initial release: setup + smoke tests for GLM vision/search/reader/zread MCP servers

元数据

Slug glm-mcp-server-use

版本 1.0.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题