Safety Report

GLM-Master-Skill

Name: GLM-Master-Skill
Rating: 5 (5 reviews)
Author: jaredforreal

Documentation-only master skill for GLM ecosystem discovery and installation. This skill does not execute scripts or subprocess commands. It provides a curat...

770Downloads

2Installs

5Stars

10Versions

PDF & Documents3,686 CLI & Shell Tools3,679 Documentation2,718 Networking & DNS2,106

Security Analysis

high confidence

Clean0.04 risk

This is a documentation-only master skill that lists GLM-related skills and installation instructions; its requirements and instructions are consistent with that purpose.

Apr 2, 20261 files1 concern

Purpose & Capabilityok

The skill is described as a documentation-only index of GLM skills and indeed contains only a catalog and installation guidance. It requests no credentials, binaries, or config paths, which is appropriate for a guide.

Instruction Scopenote

The SKILL.md contains shell commands (npx, git clone) and install guidance for downstream skills but does not instruct the agent itself to read local files or exfiltrate data. The description says it "does not execute scripts or subprocess commands" — that refers to the skill itself, not the user-facing install commands; this could be mildly confusing to non-technical users.

Install Mechanismok

No install spec or code files are bundled. The document recommends using npx and git clone to fetch downstream skills (normal for installation docs). Because it suggests running npx @latest, users should be aware that following those commands downloads code at runtime from npm/GitHub (expected but worth attention).

Credentialsok

The master skill itself requires no environment variables. It correctly notes that many downstream GLM skills use ZHIPU_API_KEY and gives reasonable best-practice advice for key handling; requesting that key for downstream use is proportional and expected.

Persistence & Privilegeok

The skill does not request permanent presence (always:false) and does not modify other skills or system configuration. Autonomous model invocation is allowed by platform default but the skill's content does not exploit that.

Guidance

This skill is a read-only catalog and appears coherent with that purpose. Before following any install commands the skill suggests: (1) review the target repositories' SKILL.md and source code on GitHub so you know what will be installed; (2) prefer pinning versions (avoid indiscriminately using `@latest`) and verify the authenticity of the npm package (clawhub) before running npx; (3) be aware that running `npx` or `git clone` will fetch and execute network code—treat those as normal code-install risks; (4) downstream skills may require ZHIPU_API_KEY—create a limited-scope key and do not commit it to source control; and (5) if you do not want an agent to run shell commands automatically, keep autonomous execution disabled for the agent or explicitly instruct it not to run commands.

Latest Release

v1.0.9

- Updated all GLM skill links from the previous repository path to the new https://github.com/zai-org/GLM-skills structure. - Updated the metadata fields "source" and "homepage" to point to the new repository location. - Adjusted GitHub installation instructions to match the new repository. - No logic or functional changes; documentation and navigation only.

More by @jaredforreal

GLM-OCR

2 stars

GLM-V-Caption

1 stars

GLM-V-Grounding

1 stars

GLM-Image-Gen

1 stars

GLM-OCR-Formula

1 stars

GLM-OCR-Table

1 stars

Published by @jaredforreal on ClawHub