ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ainative Mcp Builder

v1.0.0

Build and publish custom MCP servers on AINative. Use when (1) Creating a new MCP server from scratch, (2) Adding tools to an existing MCP server, (3) Publis...

0· 109·1 current·1 all-time
byToby Morning@urbantech

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for urbantech/ainative-mcp-builder.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Ainative Mcp Builder" (urbantech/ainative-mcp-builder) from ClawHub.
Skill page: https://clawhub.ai/urbantech/ainative-mcp-builder
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ainative-mcp-builder

ClawHub CLI

Package manager switcher

npx clawhub@latest install ainative-mcp-builder
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md content: examples for FastMCP (Python) and the MCP SDK (Node), configuration for Claude Code, and publishing guidance to npm/ClawHub. The requested capabilities (exposing tools, calling AINative endpoints) are coherent with the stated purpose.
!
Instruction Scope
The runtime instructions include concrete code that performs network calls to AINative endpoints and shows using an API key (API_KEY / AINATIVE_API_KEY). The SKILL.md does not instruct reading unrelated local files or broad system state, but it does reference credentials in-line and environment usage in examples — this access is outside what's declared in the skill metadata (no required env vars).
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing will be written to disk by the skill itself. The guidance to pip/npm-install third-party packages (fastmcp, @modelcontextprotocol/sdk) is expected for the described tasks and is documented in the instructions.
!
Credentials
The SKILL.md examples require an AINATIVE API key (API_KEY / AINATIVE_API_KEY) to call AINative APIs, but the skill's declared requirements list zero environment variables or primary credentials. That mismatch is disproportionate: the skill will only be useful with a credential, yet it doesn't declare or explain that requirement in metadata.
Persistence & Privilege
always:false and no requested config-path or persistent system modifications. The skill does not request permanent inclusion or modify other skills' configuration in the provided instructions.
What to consider before installing
This skill appears to legitimately show how to build and publish MCP servers, but take these precautions before installing or using it: - The SKILL.md examples use an AINATIVE API key (API_KEY / AINATIVE_API_KEY). The skill metadata does not declare this — ask the publisher to update the metadata to list required credentials before providing any secrets. - Only give an API key with the minimum scope needed (do not reuse a full-admin key). Prefer creating a scoped/test key and rotate it if you later revoke access. - The skill instructs installing third-party packages (pip/npm). Verify those packages' authors and source (PyPI/npm) and audit package versions before running installs. - The Python sample hardcodes API_KEY in code; avoid hardcoding secrets in repos. Use environment variables or a secure secrets mechanism instead. - If you must run example servers locally, sandbox them (container, VM) and monitor network traffic to ensure calls go only to expected AINative endpoints (api.ainative.studio) and not to unknown hosts. - Ask the skill author to correct the metadata (declare required env vars) and provide a source/homepage or repository so you can review the actual implementation before trusting published MCP packages. If the author cannot provide clearer metadata or a verifiable source, treat the skill as risky for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fytqw4htnk5gwvvt7cbe1n83hbtz
109downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Toby Morning@urbantech
latest
Download

AINative MCP Builder Guide

What is an MCP Server?

Model Context Protocol (MCP) servers expose tools that AI agents (Claude Code, Cursor, Windsurf, etc.) can call directly. AINative's MCP servers (zerodb-mcp-server, zerodb-memory-mcp) are built this way.

Python — FastMCP

pip install fastmcp

# my_mcp_server.py
from fastmcp import FastMCP
import requests

mcp = FastMCP("my-tools")
API_KEY = "ak_your_key"
BASE = "https://api.ainative.studio"

@mcp.tool()
def get_user_credits() -> dict:
    """Get the current user's credit balance."""
    return requests.get(
        f"{BASE}/api/v1/public/credits/balance",
        headers={"X-API-Key": API_KEY}
    ).json()

@mcp.tool()
def search_memory(query: str, limit: int = 5) -> dict:
    """Search agent memory semantically."""
    return requests.post(
        f"{BASE}/api/v1/public/memory/v2/recall",
        headers={"X-API-Key": API_KEY},
        json={"query": query, "limit": limit}
    ).json()

@mcp.tool()
def store_memory(content: str, memory_type: str = "episodic") -> dict:
    """Store a fact or event in agent memory."""
    return requests.post(
        f"{BASE}/api/v1/public/memory/v2/remember",
        headers={"X-API-Key": API_KEY},
        json={"content": content, "memory_type": memory_type}
    ).json()

if __name__ == "__main__":
    mcp.run()

python my_mcp_server.py

Node.js — MCP SDK

npm install @modelcontextprotocol/sdk

// server.ts
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';

const server = new Server(
  { name: 'my-mcp-server', version: '1.0.0' },
  { capabilities: { tools: {} } }
);

server.setRequestHandler('tools/list', async () => ({
  tools: [{
    name: 'get_credits',
    description: 'Get current credit balance',
    inputSchema: { type: 'object', properties: {} }
  }]
}));

server.setRequestHandler('tools/call', async (request) => {
  if (request.params.name === 'get_credits') {
    const resp = await fetch('https://api.ainative.studio/api/v1/public/credits/balance', {
      headers: { 'X-API-Key': process.env.AINATIVE_API_KEY! }
    });
    return { content: [{ type: 'text', text: JSON.stringify(await resp.json()) }] };
  }
});

const transport = new StdioServerTransport();
await server.connect(transport);

Configure in Claude Code

// .claude/mcp.json
{
  "mcpServers": {
    "my-tools": {
      "command": "python",
      "args": ["my_mcp_server.py"],
      "env": { "AINATIVE_API_KEY": "ak_your_key" }
    }
  }
}

For a published npm package:

{
  "mcpServers": {
    "my-tools": {
      "command": "npx",
      "args": ["my-mcp-package"],
      "env": { "AINATIVE_API_KEY": "ak_your_key" }
    }
  }
}

SKILL.md Format for ClawHub

Every MCP tool should have a matching skill file so agents know when to call it:

---
name: my-tool-name
description: One-line description. Use when (1) scenario, (2) scenario, (3) scenario.
---

# Tool Name

Brief description and usage examples.

Place in .claude/skills/my-tool-name/SKILL.md.

Publish to npm

# package.json
{
  "name": "my-mcp-server",
  "version": "1.0.0",
  "bin": { "my-mcp-server": "./dist/server.js" },
  "main": "./dist/server.js"
}

npm publish

References

  • zerodb-mcp-server/ — Full 76-tool example (Node.js)
  • zerodb-memory-mcp/ — Lightweight 6-tool example (Node.js)
  • src/backend/app/api/v1/endpoints/zerodb_mcp.py — Backend tool handlers
  • MCP spec: https://modelcontextprotocol.io

Comments

Loading comments...