Mcp App Builder
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently scaffolds MCP apps, with ordinary development risks around npm dependencies and exposing a local MCP server during testing.
This looks safe to use as a development scaffold. Before installing dependencies or exposing a generated MCP app outside your machine, review the npm packages, pin versions if needed, and add access controls if the app will connect to private data or real services.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated project may install dependency versions that differ from what was reviewed in the template.
The scaffolded project depends on external npm packages using caret ranges rather than exact pinned versions, so installs may resolve newer package versions over time.
"@modelcontextprotocol/ext-apps": "^1.0.0", "@modelcontextprotocol/sdk": "^1.24.0", ... "vite": "^6.0.0"
Review the generated package.json, consider pinning exact versions and committing a lockfile before using the app with sensitive data or in production.
If the generated app is later connected to private APIs or data sources and exposed on a network or tunnel, other clients may be able to reach the MCP endpoint unless access controls are added.
The template creates a network-accessible MCP endpoint, enables CORS, and accepts all methods on /mcp. This is consistent with the stated MCP app pattern, but it expands exposure when the server is run.
const app = createMcpExpressApp({ host: "0.0.0.0" });
app.use(cors());
app.all("/mcp", async (req, res) => {Use the template for local development as intended, and add appropriate authentication, origin restrictions, and network scoping before exposing real tools or private data.