ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test

v2.0.0

Guide for creating high-quality MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. Use whe...

0· 11·0 current·0 all-time
by@jarrett817
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description present a developer guide for MCP servers — that matches the included documentation and helper code. However, the shipped runtime code (scripts/evaluation.py) instantiates an Anthropic client and calls remote LLM APIs, and scripts/requirements.txt lists 'anthropic' and 'mcp'. The SKILL metadata declares no required env vars or primary credential despite the code clearly needing API credentials to call an LLM service. This is an incoherence: a documentation/guide skill would not normally embed direct runtime code that requires provider credentials without declaring them.
!
Instruction Scope
The SKILL.md and embedded evaluation harness (EVALUATION_PROMPT and evaluation.py) instruct the agent to (a) call tools and include detailed summaries of each step, inputs provided, and outputs received, and (b) include feedback and final responses wrapped in XML-like tags. Requiring the assistant to verbatim report tool inputs/outputs increases the risk of leaking any sensitive data returned by tools. The evaluation/reference docs also say 'At NO stage should you READ the code of the MCP server implementation itself', which conflicts with the fact the package includes implementation code and an evaluation harness – ambiguous scope. Overall, the instructions are broader than a passive guide and could lead to exfiltration of sensitive data if used against real services.
Install Mechanism
There is no install spec (instruction-only install), and all files are shipped in the skill bundle. No external installer or download-from-URL steps are present, so there is no high-risk install mechanism. requirements.txt lists Python deps (anthropic, mcp) which is expected for the provided scripts.
!
Credentials
The code uses Anthropic() (Anthropic SDK) which typically requires an API key (e.g., ANTHROPIC_API_KEY) or similar credential, but requires.env/primaryEnv are empty — the skill does not declare required credentials. That omission is a meaningful mismatch. Additionally, scripts/connections.py supports passing environment variables into subprocess stdio connections; the evaluation flow collects and prints tool inputs/outputs — without declared environment constraints this could enable secrets to be passed into tool calls and then captured in reports.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config modifications, and is user-invocable. It does allow the agent to call the included code autonomously (default), which is normal. No unusual persistence or cross-skill config edits are present.
What to consider before installing
This skill includes working code that will call an external LLM (Anthropic/Claude) and an evaluation harness that instructs the agent to print detailed summaries of tool inputs and outputs. Yet the skill metadata declares no required environment variables or API keys. Before installing or enabling this skill: - Treat it as suspicious until you confirm what credentials it needs. The evaluation script likely requires an Anthropic API key (or similar) to function; do not provide secret keys unless you audit the code and accept the risk. - Audit the scripts (evaluation.py and connections.py) yourself: look for where network calls are made and where data is logged or returned. The EVALUATION_PROMPT explicitly asks for tool inputs/outputs and summaries: that can expose secrets returned by tools. - If you plan to run evaluations, only run them against test/read-only environments containing non-sensitive data, and never point the harness at production systems or supply real account tokens. - Consider asking the skill author to: (1) declare required env vars (e.g., ANTHROPIC_API_KEY) in the metadata, (2) remove or make optional any prompts that require verbatim tool input/output logging, and (3) limit what is printed in reports to non-sensitive metadata. If you cannot verify these changes or audit the code yourself, avoid enabling the skill with real credentials or running it against live services.

Like a lobster shell, security has layers — review code before you run it.

latestvk978cmsfg41xqdekenwccq8rbx843vsb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MCP Server Development Guide

Overview

Create MCP (Model Context Protocol) servers that enable LLMs to interact with external services through well-designed tools. The quality of an MCP server is measured by how well it enables LLMs to accomplish real-world tasks.

Process

🚀 High-Level Workflow

Creating a high-quality MCP server involves four main phases:

Phase 1: Deep Research and Planning

1.1 Understand Modern MCP Design

API Coverage vs. Workflow Tools: Balance comprehensive API endpoint coverage with specialized workflow tools. Workflow tools can be more convenient for specific tasks, while comprehensive coverage gives agents flexibility to compose operations. Performance varies by client—some clients benefit from code execution that combines basic tools, while others work better with higher-level workflows. When uncertain, prioritize comprehensive API coverage.

Tool Naming and Discoverability: Clear, descriptive tool names help agents find the right tools quickly. Use consistent prefixes (e.g., github_create_issue, github_list_repos) and action-oriented naming.

Context Management: Agents benefit from concise tool descriptions and the ability to filter/paginate results. Design tools that return focused, relevant data. Some clients support code execution which can help agents filter and process data efficiently.

Actionable Error Messages: Error messages should guide agents toward solutions with specific suggestions and next steps.

1.2 Study MCP Protocol Documentation

Navigate the MCP specification:

Start with the sitemap to find relevant pages: https://modelcontextprotocol.io/sitemap.xml

Then fetch specific pages with .md suffix for markdown format (e.g., https://modelcontextprotocol.io/specification/draft.md).

Key pages to review:

  • Specification overview and architecture
  • Transport mechanisms (streamable HTTP, stdio)
  • Tool, resource, and prompt definitions

1.3 Study Framework Documentation

Recommended stack:

  • Language: TypeScript (high-quality SDK support and good compatibility in many execution environments e.g. MCPB. Plus AI models are good at generating TypeScript code, benefiting from its broad usage, static typing and good linting tools)
  • Transport: Streamable HTTP for remote servers, using stateless JSON (simpler to scale and maintain, as opposed to stateful sessions and streaming responses). stdio for local servers.

Load framework documentation:

For TypeScript (recommended):

  • TypeScript SDK: Use WebFetch to load https://raw.githubusercontent.com/modelcontextprotocol/typescript-sdk/main/README.md
  • ⚡ TypeScript Guide - TypeScript patterns and examples

For Python:

  • Python SDK: Use WebFetch to load https://raw.githubusercontent.com/modelcontextprotocol/python-sdk/main/README.md
  • 🐍 Python Guide - Python patterns and examples

1.4 Plan Your Implementation

Understand the API: Review the service's API documentation to identify key endpoints, authentication requirements, and data models. Use web search and WebFetch as needed.

Tool Selection: Prioritize comprehensive API coverage. List endpoints to implement, starting with the most common operations.

Phase 2: Implementation

2.1 Set Up Project Structure

See language-specific guides for project setup:

2.2 Implement Core Infrastructure

Create shared utilities:

  • API client with authentication
  • Error handling helpers
  • Response formatting (JSON/Markdown)
  • Pagination support

2.3 Implement Tools

For each tool:

Input Schema:

  • Use Zod (TypeScript) or Pydantic (Python)
  • Include constraints and clear descriptions
  • Add examples in field descriptions

Output Schema:

  • Define outputSchema where possible for structured data
  • Use structuredContent in tool responses (TypeScript SDK feature)
  • Helps clients understand and process tool outputs

Tool Description:

  • Concise summary of functionality
  • Parameter descriptions
  • Return type schema

Implementation:

  • Async/await for I/O operations
  • Proper error handling with actionable messages
  • Support pagination where applicable
  • Return both text content and structured data when using modern SDKs

Annotations:

  • readOnlyHint: true/false
  • destructiveHint: true/false
  • idempotentHint: true/false
  • openWorldHint: true/false

Phase 3: Review and Test

3.1 Code Quality

Review for:

  • No duplicated code (DRY principle)
  • Consistent error handling
  • Full type coverage
  • Clear tool descriptions

3.2 Build and Test

TypeScript:

  • Run npm run build to verify compilation
  • Test with MCP Inspector: npx @modelcontextprotocol/inspector

Python:

  • Verify syntax: python -m py_compile your_server.py
  • Test with MCP Inspector

See language-specific guides for detailed testing approaches and quality checklists.

Phase 4: Create Evaluations

After implementing your MCP server, create comprehensive evaluations to test its effectiveness.

Load ✅ Evaluation Guide for complete evaluation guidelines.

4.1 Understand Evaluation Purpose

Use evaluations to test whether LLMs can effectively use your MCP server to answer realistic, complex questions.

4.2 Create 10 Evaluation Questions

To create effective evaluations, follow the process outlined in the evaluation guide:

  1. Tool Inspection: List available tools and understand their capabilities
  2. Content Exploration: Use READ-ONLY operations to explore available data
  3. Question Generation: Create 10 complex, realistic questions
  4. Answer Verification: Solve each question yourself to verify answers

4.3 Evaluation Requirements

Ensure each question is:

  • Independent: Not dependent on other questions
  • Read-only: Only non-destructive operations required
  • Complex: Requiring multiple tool calls and deep exploration
  • Realistic: Based on real use cases humans would care about
  • Verifiable: Single, clear answer that can be verified by string comparison
  • Stable: Answer won't change over time

4.4 Output Format

Create an XML file with this structure:

<evaluation>
  <qa_pair>
    <question>Find discussions about AI model launches with animal codenames. One model needed a specific safety designation that uses the format ASL-X. What number X was being determined for the model named after a spotted wild cat?</question>
    <answer>3</answer>
  </qa_pair>
<!-- More qa_pairs... -->
</evaluation>

Reference Files

📚 Documentation Library

Load these resources as needed during development:

Core MCP Documentation (Load First)

  • MCP Protocol: Start with sitemap at https://modelcontextprotocol.io/sitemap.xml, then fetch specific pages with .md suffix
  • 📋 MCP Best Practices - Universal MCP guidelines including:
    • Server and tool naming conventions
    • Response format guidelines (JSON vs Markdown)
    • Pagination best practices
    • Transport selection (streamable HTTP vs stdio)
    • Security and error handling standards

SDK Documentation (Load During Phase 1/2)

  • Python SDK: Fetch from https://raw.githubusercontent.com/modelcontextprotocol/python-sdk/main/README.md
  • TypeScript SDK: Fetch from https://raw.githubusercontent.com/modelcontextprotocol/typescript-sdk/main/README.md

Language-Specific Implementation Guides (Load During Phase 2)

  • 🐍 Python Implementation Guide - Complete Python/FastMCP guide with:

    • Server initialization patterns
    • Pydantic model examples
    • Tool registration with @mcp.tool
    • Complete working examples
    • Quality checklist

  • ⚡ TypeScript Implementation Guide - Complete TypeScript guide with:

    • Project structure
    • Zod schema patterns
    • Tool registration with server.registerTool
    • Complete working examples
    • Quality checklist

Evaluation Guide (Load During Phase 4)

  • ✅ Evaluation Guide - Complete evaluation creation guide with:
    • Question creation guidelines
    • Answer verification strategies
    • XML format specifications
    • Example questions and answers
    • Running an evaluation with the provided scripts

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…