← 返回 Skills 市场
xybstone

Zstack Mcp

作者 徐阳波 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
148
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zstack-mcp
功能描述
ZStack Cloud MCP Server integration for OpenClaw. Enables AI to query and execute ZStack APIs (2000+ endpoints) with authentication management and read-only...
安全使用建议
This skill implements a legitimate ZStack MCP integration but contains clear red flags you should address before installing or enabling it: - The package includes config/zstack.env with a plaintext admin password and an internal API URL. Do not use those credentials. Remove or overwrite config/zstack.env before running any scripts and rotate any real credentials if you accidentally used them. - The published metadata says no env vars are required, but the SKILL.md and scripts use ZSTACK_API_URL, ZSTACK_ACCOUNT, ZSTACK_PASSWORD or ZSTACK_SESSION_ID. Expect to supply these; verify where they will be stored (the scripts save them into ~/clawd/skills/zstack-mcp/config/zstack.env and add them to your mcporter config). - The scripts will modify your mcporter configuration file in your home directory. Inspect the scripts to confirm they only add the expected entry. Keep backups of mcporter config (scripts already create a .bak) and review the resulting JSON before trusting it. - Keep write operations disabled (do not set ZSTACK_ALLOW_ALL_API=true) unless you fully trust the environment and want the skill to perform destructive actions. - If you decide to proceed: (1) clone the repo into a safe place, (2) delete or sanitize config/zstack.env, (3) run configure.sh interactively to provide your own credentials (or supply a session ID), and (4) inspect the mcporter config changes created by register-mcp.sh before using them. Consider running initial tests in an isolated environment and verify the upstream pip package (zstack-mcp-server) is the expected project from its maintainers.
功能分析
Type: OpenClaw Skill Name: zstack-mcp Version: 1.0.0 The skill manages sensitive ZStack Cloud credentials and stores them in plain text within 'config/zstack.env', which is a significant security risk. It provides scripts ('configure.sh' and 'register-mcp.sh') to automate the setup of an MCP server with broad access to over 2000 cloud API endpoints, including a mechanism to bypass read-only safety via the 'ZSTACK_ALLOW_ALL_API' flag. Additionally, the bundle includes a hardcoded password ('AIOS@rootpswd123') in the provided configuration file, which could lead to unauthorized access if not properly updated by the user.
能力评估
Purpose & Capability
The skill's name, description, scripts, and examples all align with providing a ZStack MCP integration and registering it with mcporter. However, the registry metadata claims 'required env vars: none' while SKILL.md and the scripts clearly expect and use ZSTACK_API_URL, ZSTACK_ACCOUNT, ZSTACK_PASSWORD or ZSTACK_SESSION_ID. Shipping a pre-filled config/zstack.env with an API URL and admin password is disproportionate to a general-purpose distribution (it embeds target-specific credentials).
Instruction Scope
Runtime instructions direct the agent/user to run interactive configuration, to save credentials into ~/clawd/skills/zstack-mcp/config/zstack.env, and to automatically update the user's mcporter config (~/.clawd/config/mcporter.json or ~/.team-os/mcp.json). Those actions are within the stated purpose (registering the MCP server) but they expand scope by persisting credentials and modifying user config files in the home directory. The SKILL.md also instructs use of curl requests and test commands that include credentials — all expected for this skill but worth noting because sensitive data is written to disk.
Install Mechanism
There is no aggressive install spec; SKILL.md recommends pip/pipx to install the upstream zstack-mcp-server package (a normal public registry flow). This is low-to-moderate risk. Nothing is downloaded from arbitrary shorteners or unknown URLs. However the repository bundle itself includes a pre-populated config file containing credentials, which increases practical risk during 'install' (copying the repo), even though the install mechanism is otherwise reasonable.
Credentials
The skill requires credentials (username/password or session ID) to function, which is appropriate, but the package contradicts registry metadata by not declaring required env vars. Worse, config/zstack.env in the package contains a plaintext ZSTACK_PASSWORD and ZSTACK_API_URL pointing at an internal IP (172.20.0.36) and an administrative password: 'AIOS@rootpswd123'. Bundling such credentials with a skill is unnecessary and dangerous — it may leak credentials or confuse users into using built-in credentials. The scripts will write credentials into the user's mcporter config, exposing them to any process that reads that file.
Persistence & Privilege
The skill does persist configuration to disk (skill-local config and modifies mcporter config in the user's home). It does not request 'always: true' and does not autonomously elevate privileges. Persisting credentials into home config is expected for an integration but increases attack surface and should be treated cautiously.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install zstack-mcp
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /zstack-mcp 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of zstack-mcp skill for OpenClaw: - Integrates ZStack Cloud MCP Server, enabling AI to query and execute over 2000 ZStack APIs with authentication management. - Provides secure, read-only access by default; write API calls require explicit opt-in. - Includes user-friendly setup scripts, comprehensive configuration and troubleshooting guides. - Supports flexible authentication (username/password or session), environment-based configuration, and response size limits for safety. - Offers example command usage for searching, describing, executing APIs, and querying monitoring metrics.
元数据
Slug zstack-mcp
版本 1.0.0
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Zstack Mcp 是什么?

ZStack Cloud MCP Server integration for OpenClaw. Enables AI to query and execute ZStack APIs (2000+ endpoints) with authentication management and read-only... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 148 次。

如何安装 Zstack Mcp?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install zstack-mcp」即可一键安装,无需额外配置。

Zstack Mcp 是免费的吗?

是的,Zstack Mcp 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Zstack Mcp 支持哪些平台?

Zstack Mcp 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Zstack Mcp?

由 徐阳波(@xybstone)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论