Mcp Dev Toolkit
PassAudited by ClawScan on May 12, 2026.
Overview
This is a coherent developer toolkit, but its example MCP tool patterns should be scoped carefully before use because they demonstrate broad file, API, and database access.
This skill appears safe as a development reference and scaffold. Before using its examples in a real MCP server, restrict file paths, API endpoints, and database permissions, and review generated dependencies with a lockfile.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied directly into an MCP server, an agent could write files anywhere the server process has permission.
The reference pattern demonstrates an MCP tool that writes arbitrary user-supplied paths without showing path allowlists, confirmation, or workspace restrictions. This is purpose-aligned documentation, but should be scoped before deployment.
server.tool("write_file", { path: z.string(), content: z.string() }, async ({ path, content }) => { await fs.writeFile(path, content, "utf-8");Add workspace allowlists, path normalization, explicit user approval for writes, and clear limits before using this pattern in a real MCP server.
A copied tool could let an agent send requests to unintended services or perform API mutations if credentials are included in headers.
The API wrapper pattern accepts arbitrary URLs, headers, and POST bodies. This is expected for API-integration guidance, but it is a broad escape-hatch style tool if deployed without endpoint restrictions.
server.tool("api_post", { url: z.string(), body: z.record(z.any()), headers: z.record(z.string()).optional() }, async ({ url, body, headers: extraHeaders }) => { const resp = await fetch(url, { method: "POST"Restrict allowed domains and methods, avoid passing arbitrary headers, redact secrets from logs, and require user confirmation for mutating API calls.
If deployed with a highly privileged database credential, an agent could read more database data than intended.
The database pattern uses a database connection string from the environment. That is normal for database MCP tools, but it means the resulting server can access data according to that credential's privileges.
const pool = new pg.Pool({ connectionString: process.env.DATABASE_URL });Use least-privilege, read-only database users where possible, restrict schemas/tables, and keep the SELECT-only checks or stronger query controls.
Future dependency updates could change behavior or introduce vulnerabilities in generated projects.
The scaffold script generates project dependency ranges rather than pinned versions. It does not install them automatically, but users who install later will receive compatible newer versions.
"dependencies": { "@modelcontextprotocol/sdk": "^1.0.0", "zod": "^3.22.0" }Review generated dependencies, use lockfiles, and pin versions for production MCP servers.