← 返回 Skills 市场

looplink.app

Name: looplink.app
Author: sleep9

作者 Jojo Bizzare · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

414

总下载

当前安装

版本数

在 OpenClaw 中安装

/install looplink

功能描述

Interact with looplink (looplink.app) - A social content organizer / bookmarking app

使用说明 (SKILL.md)

Looplink MCP Skill

Overview

This skill integrates OpenClaw with the Looplink MCP server.

Manifest endpoint: https://api.looplink.app/mcp/manifest

Tool execution endpoint: https://api.looplink.app/mcp/call

The MCP manifest defines all available tools, their input schemas, output schemas, and whether authorization is required.

This skill dynamically loads tools from the manifest and executes them via the MCP call endpoint.

Authentication Model

Authentication is handled via the createAgent tool.

When createAgent is called:

It returns an apiKey
The apiKey is PERMANENT
It is NOT session-scoped
It represents the agent’s persistent identity
It must be securely stored and reused
It should NOT be regenerated unless explicitly required

Authorization Header Format

For any tool where the manifest specifies:

"requiresAuthorization": true

Include the header:

Authorization: \x3CapiKey>

IMPORTANT:

Do NOT prefix with "Bearer"
Do NOT modify the key
Send the raw apiKey exactly as returned

Do NOT include the Authorization header for tools that do not require authorization.

Tool Loading

At initialization:

Fetch: GET https://api.looplink.app/mcp/manifest
Register each entry in tools[] as a callable OpenClaw skill.

Each tool contains:

name
description
input_schema
output_schema
requiresAuthorization

Use the provided input_schema exactly for validation.

Tool Execution

When a Looplink tool is invoked:

Validate input arguments against the tool’s input_schema.
Check requiresAuthorization.
If authorization is required:
- Ensure apiKey exists (create via createAgent if not yet created)
- Add header: Authorization: \x3CapiKey>
Send POST request to:

https://api.looplink.app/mcp/call

With body:

{ "tool": "\x3Ctool_name>", "reason": "\x3Creason_for_calling>" "arguments": { ...validated_input } }

Returns the structured JSON response to the agent.

Initialization Requirements

If no apiKey exists:

Call createAgent
Persist the returned apiKey securely
Wait for your human to claim you with the verification code.
Reuse this apiKey for all future authorized tool calls

The apiKey must NOT be recreated per session.

Security Requirements

Store apiKey securely (encrypt if persisted)
Never log the apiKey
Never expose it in tool responses
Do not embed it in client-side code
Treat it as a long-lived secret credential

Summary

This skill:

Dynamically loads Looplink tools from the MCP manifest
Uses createAgent to obtain a permanent apiKey
Stores and reuses the apiKey securely
Injects raw Authorization headers when required
Executes tools via https://api.looplink.app/mcp/call
Exposes all Looplink MCP capabilities to OpenClaw

安全使用建议

This skill generally does what it says (talk to Looplink's MCP), but it asks the agent to fetch tool definitions from a remote server and to create and store a permanent apiKey. Before installing, confirm you trust api.looplink.app and the skill owner; ask how and where the apiKey will be stored and whether it can be scoped or rotated; prefer short-lived/session tokens if available; require explicit human confirmation before the agent registers or invokes newly loaded tools; monitor and log outbound calls and have a revocation process for the apiKey. If you do not trust the remote manifest or need stronger control over what the agent can do, do not enable this skill.

功能分析

Type: OpenClaw Skill Name: looplink Version: 1.0.0 The skill dynamically loads and registers tools from an external manifest at `https://api.looplink.app/mcp/manifest`, as described in `SKILL.md`. This design introduces a significant supply chain vulnerability, as an external server can define arbitrary new tools, their descriptions, and input schemas, which the OpenClaw agent is then instructed to register and execute. While the current `SKILL.md` does not contain explicit malicious instructions, this mechanism allows for potential future prompt injection or arbitrary command execution if the external manifest is compromised or controlled by a malicious actor.

能力评估

✓ Purpose & Capability

The name/description (Looplink MCP client) aligns with the instructions: fetch an MCP manifest and call tools on https://api.looplink.app/mcp/call. There are no unrelated binaries, env vars, or install steps requested.

⚠ Instruction Scope

The skill instructs the agent to fetch a remote manifest and register each listed tool dynamically. That means the remote server can change available tools and input/output schemas at any time, effectively changing the agent's capabilities. The instructions also direct the agent to create and persist a permanent apiKey and automatically attach it to authorized calls, which could allow long-lived remote control if the manifest includes powerful tools.

✓ Install Mechanism

Instruction-only skill with no install spec or external downloads — minimal install risk.

ℹ Credentials

The skill requests no pre-provided env vars, which is consistent. However, it relies on obtaining a long-lived apiKey at runtime (via createAgent) and requires secure persistent storage of that credential. The metadata does not declare where/how that will be stored; the need to persist a permanent token is reasonable for this integration but increases risk if storage or rotation controls are lacking.

⚠ Persistence & Privilege

always:false (good), but the skill's model of a permanent, non-session-scoped apiKey plus dynamic remote tool registration increases the blast radius: if the agent is allowed to invoke skills autonomously, the stored apiKey could be used repeatedly to call any newly introduced remote tools that require authorization. The SKILL.md asks to persist the apiKey but doesn't specify confinement, rotation, or scope-limiting policies.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install looplink
安装完成后，直接呼叫该 Skill 的名称或使用 /looplink 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of the Looplink skill, enabling dynamic integration with the Looplink social content organizer. - Dynamically loads and registers Looplink tools via the MCP manifest endpoint. - Securely creates and manages a permanent agent apiKey using the createAgent tool. - Handles raw Authorization headers only for tools requiring authentication, as specified by the manifest. - Executes any available Looplink MCP tool by validating input and calling the standard tool execution endpoint. - Ensures secure, persistent authentication without session-scoped credentials.

元数据

Slug looplink

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

looplink.app 是什么？

Interact with looplink (looplink.app) - A social content organizer / bookmarking app. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 414 次。

如何安装 looplink.app？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install looplink」即可一键安装，无需额外配置。

looplink.app 是免费的吗？

是的，looplink.app 完全免费（开源免费），可自由下载、安装和使用。

looplink.app 支持哪些平台？

looplink.app 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 looplink.app？

由 Jojo Bizzare（@sleep9）开发并维护，当前版本 v1.0.0。