Mcp Dev Toolkit
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mcp-dev-toolkit Version: 1.0.0 The skill bundle provides legitimate scaffolding scripts and code patterns for developing Model Context Protocol (MCP) servers in Python and TypeScript. The included bash script (scripts/scaffold.sh) and reference files (references/file-tools.md, etc.) contain standard boilerplate code for tool registration and transport configuration without any evidence of malicious intent, data exfiltration, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied directly into an MCP server, an agent could write files anywhere the server process has permission.
The reference pattern demonstrates an MCP tool that writes arbitrary user-supplied paths without showing path allowlists, confirmation, or workspace restrictions. This is purpose-aligned documentation, but should be scoped before deployment.
server.tool("write_file", { path: z.string(), content: z.string() }, async ({ path, content }) => { await fs.writeFile(path, content, "utf-8");Add workspace allowlists, path normalization, explicit user approval for writes, and clear limits before using this pattern in a real MCP server.
A copied tool could let an agent send requests to unintended services or perform API mutations if credentials are included in headers.
The API wrapper pattern accepts arbitrary URLs, headers, and POST bodies. This is expected for API-integration guidance, but it is a broad escape-hatch style tool if deployed without endpoint restrictions.
server.tool("api_post", { url: z.string(), body: z.record(z.any()), headers: z.record(z.string()).optional() }, async ({ url, body, headers: extraHeaders }) => { const resp = await fetch(url, { method: "POST"Restrict allowed domains and methods, avoid passing arbitrary headers, redact secrets from logs, and require user confirmation for mutating API calls.
If deployed with a highly privileged database credential, an agent could read more database data than intended.
The database pattern uses a database connection string from the environment. That is normal for database MCP tools, but it means the resulting server can access data according to that credential's privileges.
const pool = new pg.Pool({ connectionString: process.env.DATABASE_URL });Use least-privilege, read-only database users where possible, restrict schemas/tables, and keep the SELECT-only checks or stronger query controls.
Future dependency updates could change behavior or introduce vulnerabilities in generated projects.
The scaffold script generates project dependency ranges rather than pinned versions. It does not install them automatically, but users who install later will receive compatible newer versions.
"dependencies": { "@modelcontextprotocol/sdk": "^1.0.0", "zod": "^3.22.0" }Review generated dependencies, use lockfiles, and pin versions for production MCP servers.