glove
Provides a comprehensive guide for developing AI applications using the Glove framework, including setup and core concepts.
Install this skill
Security score
The glove skill was audited on May 12, 2026 and we found 35 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 116 | data: `User selected: ${selected}`, // sent to AI |
Template literal with variable interpolation in command context
| 302 | const res = await fetch(`https://wttr.in/${input.city}?format=j1`); |
Template literal with variable interpolation in command context
| 319 | input: { message: `Delete ${input.file}?` }, |
Template literal with variable interpolation in command context
| 337 | if (event_type === "tool_use") console.log(`\n[tool] ${(data as any).name}`); |
Template literal with variable interpolation in command context
| 448 | getInboxItems: (sid) => fetch(`/api/sessions/${sid}/inbox`).then(r => r.json()), |
Template literal with variable interpolation in command context
| 449 | addInboxItem: (sid, item) => fetch(`/api/sessions/${sid}/inbox`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ item }) }), |
Template literal with variable interpolation in command context
| 450 | updateInboxItem: (sid, itemId, updates) => fetch(`/api/sessions/${sid}/inbox/update`, { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ itemId, updates }) }), |
Template literal with variable interpolation in command context
| 451 | getResolvedInboxItems: (sid) => fetch(`/api/sessions/${sid}/inbox/resolved`).then(r => r.json()), |
Template literal with variable interpolation in command context
| 484 | `Be terse. (source=${source}, hint=${args ?? "none"})`, |
Template literal with variable interpolation in command context
| 491 | ?? new MemoryStore(`weather_${Date.now()}`); |
Template literal with variable interpolation in command context
| 592 | return `Switch into research mode. Focus: ${args ?? "general"}.`; |
Template literal with variable interpolation in command context
| 596 | return `Switch into research mode. User said: ${parsedText}`; |
Template literal with variable interpolation in command context
| 662 | ?? new MemoryStore(`researcher_${Date.now()}`); |
Template literal with variable interpolation in command context
| 826 | - **Name**: `${entry.id}__${tool.name}` (e.g. `notion__search`). The `__` separator (exported as `MCP_NAMESPACE_SEP`) is regex-safe across all model providers. |
Template literal with variable interpolation in command context
| 1872 | 30. **MCP tool names use `__`**: Bridged MCP tool names are `${entry.id}__${tool.name}` — the `__` separator (`MCP_NAMESPACE_SEP`) is regex-safe across all model providers. A Notion `search` tool surf |
Fetch to external URL
| 150 | // getSessionId: () => fetch("/api/session").then(r => r.json()).then(d => d.id), |
Webhook reference - potential data exfiltration
| 389 | // From a background job, webhook handler, or cron: |
Access to .env file
| 87 | Set `ANTHROPIC_API_KEY` (or `OPENAI_API_KEY`, etc.) in `.env.local`. |
Access to .env file
| 1246 | .env.example # Generated from `env` config — required vars first |
Access to .env file
| 1304 | const s3 = new S3Client({ region: process.env.AWS_REGION }) |
Access to .env file
| 1308 | bucket: process.env.OUTPUTS_BUCKET!, |
Access to .env file
| 1309 | region: process.env.AWS_REGION, |
Access to .env file
| 1325 | rule.s3({ bucket: process.env.OUTPUTS_BUCKET! }), |
Access to .env file
| 1337 | - **Docker** — `docker build -t my-app dist/` then run with `-p 8080:8080 -e GLOVEBOX_KEY=$(cat dist/glovebox.key) -e GLOVEBOX_PUBLIC_URL=https://my-app.example.com my-app`. Set any required env vars |
Access to .env file
| 1349 | pdf: { url: "wss://pdf.example.com/", key: process.env.GLOVEBOX_PDF_KEY! }, |
Access to .env file
| 1668 | Set `ELEVENLABS_API_KEY` in `.env.local`. |
External URL reference
| 15 | **Docs site**: https://glove.dterminal.net |
External URL reference
| 302 | const res = await fetch(`https://wttr.in/${input.city}?format=j1`); |
External URL reference
| 860 | url: "https://mcp.notion.com/mcp", |
External URL reference
| 880 | - **`runMcpOAuth(opts)`** — one call, end-to-end flow. Spins up a local listener on `http://localhost:53683/callback` (configurable), drives the SDK through DCR (or skips it via `preRegisteredClient`) |
External URL reference
| 1083 | Episodic and resources use the same lifecycle. Writes mark records `embeddingStatus: "missing"` (initial) or `"stale"` (content change) and return immediately. A separate process — typically a [Statio |
External URL reference
| 1138 | - Triggering, scheduling, or pipeline orchestration ([Station](https://station.dterminal.net)'s territory). |
External URL reference
| 1337 | - **Docker** — `docker build -t my-app dist/` then run with `-p 8080:8080 -e GLOVEBOX_KEY=$(cat dist/glovebox.key) -e GLOVEBOX_PUBLIC_URL=https://my-app.example.com my-app`. Set any required env vars |
External URL reference
| 1340 | `GLOVEBOX_PORT` defaults to 8080; the Dockerfile `EXPOSE`s and `ENV`s it. `GLOVEBOX_PUBLIC_URL` defaults to `http://localhost:<port>` — fine for local, broken for any client outside the container. |
External URL reference
| 1624 | Available at https://glove.dterminal.net/tools — copy-paste into your project: |