mcp-developer
PassAudited by ClawScan on May 3, 2026.
Overview
This instruction-only MCP development skill is coherent and does not request credentials or install code, but users should review any generated MCP tool permissions and verify claimed metrics.
This skill appears safe to install as an instruction-only MCP development assistant. Before using its output in production, review generated MCP tools for least privilege, require explicit authentication and authorization controls, and verify any claimed performance, security, or uptime results with tests or monitoring evidence.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A generated MCP server could let an AI agent call APIs, access files, or interact with databases depending on how the user implements it.
MCP development is explicitly about exposing tools and data sources to AI systems. This is purpose-aligned, but generated MCP tools can have real-world effects if permissions are too broad.
building servers and clients that connect AI systems with external tools and data sources
Review generated MCP tool definitions, permissions, authentication, and allowlists before deploying or connecting them to sensitive systems.
A user might trust generated performance or uptime claims that were not actually verified.
The skill includes a sample delivery message with precise performance and uptime claims. If reused without measurement, it could overstate the quality or reliability of the delivered work.
Delivered production-ready server with 12 tools and 8 resources, achieving 200ms average response time and 99.9% uptime.
Treat such statements as placeholders and require benchmarks, tests, or monitoring evidence before accepting specific reliability or performance claims.
Users have limited external context for who maintains the skill or where to verify updates.
The registry metadata provides limited provenance. Because this is instruction-only with no install script or code files, the practical supply-chain risk shown in the artifacts is low.
Source: unknown; Homepage: none
Prefer skills with clear source provenance when possible, and review the visible instructions before relying on them for sensitive development work.