# Mode: HTTP + no auth

For public MCP servers that require no credentials. Rare. Use for genuinely public APIs (open data sets, public documentation MCPs, etc.) — never for production systems where authentication has been disabled.

## When to pick this mode

- The MCP endpoint is publicly callable without any token, key, or session.
- The user has explicitly confirmed there's no authentication step.

If the user is "not sure whether it needs auth", default to ad-hoc testing first — `mcporter list <BASE_URL>` against the URL. If it works without complaint, no auth is required. If it returns a 401/403/redirects to OAuth, pick a different mode.

## Required inputs

In addition to the universal `<slug>` and `--out <path>` (covered in [SKILL.md § "Step 2"](../SKILL.md)):

- `<base-url>` — the MCP endpoint. Must be HTTPS unless the user passes `--allow-http` and acknowledges the security implication.

## Files to generate

Standard non-OAuth shape — see [`conventions.md` § "Files generated by scaffolding"](conventions.md#files-generated-by-scaffolding). No `scripts/` directory. No `requires.env`.

## Template — `<slug>/SKILL.md`

````markdown
---
name: <SLUG>
description: "TODO: rewrite before publishing — durable purpose framing for this MCP integration."
homepage: "TODO: replace with upstream MCP docs URL"
metadata:
  {
    "openclaw":
      {
        "emoji": "📡",
        "requires":
          {
            "bins": ["mcporter"],
          },
        "install":
          [
            {
              "id": "node",
              "kind": "node",
              "package": "mcporter",
              "bins": ["mcporter"],
              "label": "Install mcporter (node)",
            },
          ],
      },
  }
---

# <SLUG>

## How to use this skill

This skill is a thin pass-through to the public MCP server at `<BASE_URL>`. The live server is the source of truth for what tools exist, what they're called, what arguments they take, and any per-server instructions the server publishes.

**Step 1 — Discover the live tool catalog and any server-published usage instructions.** Always run this first; do not rely on tool names from memory:

```sh
mcporter --config {baseDir}/mcporter.json list <SLUG> --schema
```

The output includes the server's `Instructions:` field (read it) and a JSON Schema for every tool's parameters. Treat this as the authoritative reference for the rest of the session.

**Step 2 — Call any tool from the catalog** using the form `<SLUG>.<tool>`:

```sh
mcporter --config {baseDir}/mcporter.json call <SLUG>.<tool> <arg>=<value> ...
```

Add `--output json` for structured output (also surfaces transport errors as JSON envelopes):

```sh
mcporter --config {baseDir}/mcporter.json call --output json <SLUG>.<tool> ...
```

## Authentication

None. This MCP is publicly callable.
````

**Substitutions to make before writing the SKILL.md.** Substitute `<SLUG>` and `<BASE_URL>` throughout. The terse "None. This MCP is publicly callable." is the load-bearing signal that distinguishes this mode from a misconfigured auth-required skill; do not soften it. Rate-limit / quota notes belong in a separate body section, not as an auth addendum.

**Editability rules** for the Discovery flow and Authentication block live in [`conventions.md` § "Editability — Discovery flow and Authentication block"](conventions.md#editability--discovery-flow-and-authentication-block). Read it before publishing.

**Optional sections.** Between the discovery flow and the Authentication block, you *may* insert `## Conventions worth knowing` if the MCP has cross-tool invocation conventions worth surfacing. The `## Safety` section is usually omitted for no-auth mode (typically read-only public APIs); include it only if the public MCP exposes write-class tools and has a stable read/write prefix split. Templates for both live in [`conventions.md` § "Optional sections — Conventions worth knowing & Safety"](conventions.md#optional-sections--conventions-worth-knowing--safety).

## Template — `<slug>/mcporter.json`

```json
{
  "imports": [],
  "mcpServers": {
    "<SLUG>": {
      "baseUrl": "<BASE_URL>",
      "transport": "http"
    }
  }
}
```

## Mode-specific validation

In addition to the universal checks in `validation.md`:

- [ ] `mcpServers.<slug>.transport` = `"http"`.
- [ ] `mcpServers.<slug>` has **no** `auth`, `bearerTokenEnv`, or `headers` fields. (If present, this isn't actually a no-auth MCP — switch modes.)
- [ ] `requires` does not include `env` (or includes only an empty array — but absent is cleaner).
- [ ] `primaryEnv` is **not** present in the frontmatter. (No representative env var for a credential-free skill.)
- [ ] No `scripts/` directory exists.

## Reporting back to the user

Follow the universal shape in [`conventions.md` § "Reporting back to the user"](conventions.md#reporting-back-to-the-user). No-auth-specific note: include the sanity check — confirm with the user that no auth is genuinely correct for this endpoint. A misconfigured no-auth skill against an authenticated server fails every call with 401.

## References

- [openclaw/mcporter — `docs/adhoc.md`](https://github.com/openclaw/mcporter/blob/main/docs/adhoc.md) — minimal HTTP MCP shape (no auth fields needed)
- [openclaw/mcporter — `docs/config.md`](https://github.com/openclaw/mcporter/blob/main/docs/config.md) — `--allow-http` requirement for plain HTTP URLs (HTTPS is the default)
- [Model Context Protocol spec — Streamable HTTP transport](https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#streamable-http) — the transport this mode targets