ClawHub

Cca Domain2

v1.0.0

CCA 领域2:工具设计与MCP集成(18%权重)。当用户说"学domain2"、"工具设计"、"MCP集成"、"cca-domain2"时使用。

0· 103·0 current·1 all-time
by@sawzhang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (CCA domain 2: tool design & MCP integration) matches the SKILL.md content. The guidance expects use of file- and agent-focused tools (Read/Write/Edit/Grep/Glob/Bash/Agent) which are appropriate for hands-on exercises about configuring .mcp.json, editing descriptions, and testing tool routing.
Instruction Scope
Instructions guide the agent to explain concepts, run exercises that create/modify project and user MCP config files (project .mcp.json and ~/.claude.json), and to use Read/Write/Bash/Grep/Glob for hands-on work. This scope is appropriate, but exercises explicitly reference user-level config paths (~/.claude.json) and environment-variable expansion (${GITHUB_TOKEN}), which could lead to requests for secrets or access to private config if the agent is given filesystem/Bash access—users should avoid exposing real credentials or committing secrets.
Install Mechanism
No install spec and no code files — the skill is instruction-only, so nothing is downloaded or written by an installer. This is the lowest-risk install profile.
Credentials
The skill does not declare required env vars or credentials (none in requires.env). It does discuss using environment-variable expansion in .mcp.json (e.g., ${GITHUB_TOKEN}), which is reasonable for the topic but could encourage supplying tokens. Because the skill could be used with tools that access the shell or files, users should avoid providing real secrets and instead use placeholders or sandboxed test tokens.
Persistence & Privilege
always is false and there are no install scripts. The SKILL.md allows use of powerful tools (Bash and Agent), which is coherent for hands-on exercises but increases runtime power; this is normal for such tutor skills but means users should control tool permissions when enabling the skill.
Assessment
This skill is a coherent tutor for tool design and MCP integration and does not request credentials or install code. Before using it, do not let the agent access your real secrets or production config: (1) run exercises in a sandbox or throwaway repo, (2) never paste real tokens or passwords into .mcp.json or chat, use test tokens or placeholders, (3) if you grant the agent Bash/file permissions, review any edits the agent proposes before applying, and (4) be cautious about giving the Agent tool permission to spawn sub-agents — limit autonomy and monitor actions. If you need stronger assurance, ask the skill to operate only in read-only mode or to provide diffs for manual review rather than editing files directly.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zxsvg3vn17fanpfbg0xw8h83gs9j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments