Back to skill
Skillv1.0.0
ClawScan security
mcp-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 6:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instructional guide for building MCP servers and its files, environment requests, and instructions are consistent with that purpose.
- Guidance
- This skill is an on‑boarding / developer guide for creating MCP servers and appears internally consistent. Two practical cautions before you use it: (1) the SKILL instructs the agent to fetch external documentation (WebFetch). If you run the skill, the agent will make outbound requests to those URLs — review the referenced domains if that matters to you. (2) The package contains example Python scripts; although the instructions do not require executing them, if you plan to run any included scripts, inspect their code first (and run them in a safe, isolated environment) because example code can perform network I/O or other actions not described in the high‑level guide.
Review Dimensions
- Purpose & Capability
- okName and description match the included content: extensive documentation and examples for building MCP servers. No unrelated environment variables, binaries, or install steps are requested.
- Instruction Scope
- noteRuntime instructions ask the agent to read local reference docs and fetch authoritative MCP docs from the web (WebFetch). That is expected for a developer guide. One mild inconsistency/note: the package includes example scripts (scripts/*.py) but the evaluation docs explicitly instruct evaluators not to read the server implementation code; including sample code while asking not to inspect implementation is reasonable for a black‑box evaluation workflow, but you should be aware the repo contains executable scripts that are not automatically vetted by the instructions.
- Install Mechanism
- okThere is no install spec — instruction-only plus example scripts. No downloads or archive extraction are performed by the skill itself, which minimizes install-time risk.
- Credentials
- okThe skill does not request any environment variables, credentials, or config paths. WebFetch calls target external documentation; there are no requests for unrelated secrets or system config.
- Persistence & Privilege
- okalways is false and there are no privileges requested for persistent presence or modifications to other skills or system-wide settings.