Scan Report
5 /100
zhipu-coding-plan-mcp
智谱 AI 视觉、搜索与生图工具集
This is a legitimate Zhipu AI (智谱) MCP tool integration that provides image analysis, web search, and AI generation capabilities. All credential access and execution is declared and necessary for the documented functionality.
Safe to install
No action needed. The skill follows security best practices by reading API keys from a config file rather than hardcoding them.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Shell | WRITE | WRITE | ✓ Aligned | execFileSync('npx', ...) in scripts/zai-mcp.js:42 - declared in SKILL.md metadat… |
| Filesystem | READ | READ | ✓ Aligned | readFileSync for auth-profiles.json and mcporter.json |
| Network | READ | READ | ✓ Aligned | HTTPS calls to open.bigmodel.cn for AI services |
7 findings
Medium External URL 外部 URL
https://open.bigmodel.cn SKILL.md:47 Medium External URL 外部 URL
https://open.bigmodel.cn/api/paas/v4/images/generations SKILL.md:165 Medium External URL 外部 URL
https://open.bigmodel.cn/api/paas/v4/videos/generations SKILL.md:184 Medium External URL 外部 URL
https://open.bigmodel.cn/api/paas/v4/async-result/$TASK_ID SKILL.md:211 Medium External URL 外部 URL
https://open.bigmodel.cn/api/mcp/web_search_prime/mcp mcporter.json:14 Medium External URL 外部 URL
https://open.bigmodel.cn/api/mcp/web_reader/mcp mcporter.json:19 Medium External URL 外部 URL
https://open.bigmodel.cn/api/mcp/zread/mcp mcporter.json:24 File Tree
3 files · 11.6 KB · 348 lines Markdown 1f · 271L
JavaScript 1f · 49L
JSON 1f · 28L
├─
▾
scripts
│ └─
zai-mcp.js
JavaScript
├─
mcporter.json
JSON
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
npx | * | system | No | Required dependency declared in metadata |
mcporter | * | npm | No | MCP server orchestrator |
Security Positives
✓ API key is read dynamically from config file, not hardcoded
✓ npx dependency declared in SKILL.md metadata
✓ All network calls go to official Zhipu API endpoint (open.bigmodel.cn)
✓ No credential exfiltration - keys stay local
✓ Script is straightforward with no obfuscation or base64 encoding
✓ MCP servers use proper HTTP bearer token authentication