Mcp App Builder
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated project may install dependency versions that differ from what was reviewed in the template.
The scaffolded project depends on external npm packages using caret ranges rather than exact pinned versions, so installs may resolve newer package versions over time.
"@modelcontextprotocol/ext-apps": "^1.0.0", "@modelcontextprotocol/sdk": "^1.24.0", ... "vite": "^6.0.0"
Review the generated package.json, consider pinning exact versions and committing a lockfile before using the app with sensitive data or in production.
If the generated app is later connected to private APIs or data sources and exposed on a network or tunnel, other clients may be able to reach the MCP endpoint unless access controls are added.
The template creates a network-accessible MCP endpoint, enables CORS, and accepts all methods on /mcp. This is consistent with the stated MCP app pattern, but it expands exposure when the server is run.
const app = createMcpExpressApp({ host: "0.0.0.0" });
app.use(cors());
app.all("/mcp", async (req, res) => {Use the template for local development as intended, and add appropriate authentication, origin restrictions, and network scoping before exposing real tools or private data.