mcp-server-builder
v1.0.0MCP Server Builder
⭐ 0· 288·8 current·8 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, SKILL.md, and the two scripts consistently implement OpenAPI→MCP scaffold generation and manifest validation. No unrelated environment variables, binaries, or cloud credentials are required by the skill itself. The reference server templates do show example env usage (API_BASE, API_TOKEN) for generated code — that is expected for produced scaffolds but is not a requirement of the skill package.
Instruction Scope
The SKILL.md and scripts restrict actions to parsing an OpenAPI spec, producing a tool_manifest.json and a server scaffold, and validating manifests. The scripts read only the specified input (file or stdin) and write outputs to the chosen output directory. There are no instructions to read unrelated system files, probe networks, or exfiltrate data. Note: example templates (references/python-server-template.md) use os.environ to access runtime secrets for the generated server — that is standard for downstream runtime but not used by the generator/validator themselves.
Install Mechanism
There is no install spec and no network/download step; the skill is instruction+script bundle only. All code is included in the skill files. The generator optionally imports PyYAML if parsing YAML input, but PyYAML is not pulled in automatically by this skill (the import is attempted only at runtime and will raise a clear error if YAML is supplied without PyYAML).
Credentials
The skill itself declares no required environment variables or credentials (which is proportional). However, the example server templates demonstrate typical runtime env usage (e.g., API_BASE, API_TOKEN). Users should understand those are for the generated server runtime and are not required to run the generator/validator; they must supply appropriate runtime secrets if they run the scaffolded server.
Persistence & Privilege
The skill does not request persistent presence (always=false) and does not modify other skills or global agent configuration. It writes generated files to an output directory chosen by the user, which is expected behavior for a generator.
Assessment
This skill appears to do what it says: convert OpenAPI specs into MCP tool manifests and starter scaffolds, and validate manifests. Before installing or running: review generated output (tool_manifest.json and scaffold) before deploying or committing it; do not commit API tokens or other secrets that the generated server templates may expect in env vars; if you plan to feed YAML OpenAPI specs, ensure PyYAML is installed where you run the generator; run the validator in --strict mode in CI to catch contract errors; and when deploying a generated MCP server, follow the SKILL.md guidance (host allowlists, redact logs, rate limits) because a single MCP server can increase blast radius if it exposes many tools.Like a lobster shell, security has layers — review code before you run it.
latestvk979yvrj08myf6twmeeres608x82qfpd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.