Skylv Mcp Server Creator
ReviewAudited by ClawScan on May 10, 2026.
Overview
This instruction-only MCP builder is coherent, but its sample MCP tools can expose arbitrary file and database access without safety limits, so it should be reviewed carefully before use.
Use this skill only if you intend to scaffold MCP servers and are comfortable reviewing the generated tool permissions. Do not copy the file or database examples into a real server without adding path restrictions, read-only defaults, query allowlists, human approval for destructive actions, least-privilege credentials, trusted-client limits, and pinned dependencies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real MCP server, a connected agent or MCP client could read or overwrite files accessible to that server process.
The sample MCP file tool accepts arbitrary caller-supplied paths and supports sensitive filesystem operations without a base-directory allowlist, path validation, confirmation step, or sandbox.
operation: z.enum(['read', 'write', 'list', 'delete']), path: z.string(), ... await fs.readFile(args.path, 'utf-8'); ... await fs.writeFile(args.path, args.content || '');
Remove this tool by default or constrain it to an explicit project directory, validate paths, make it read-only unless necessary, require user confirmation for writes/deletes, and run the server with least-privilege OS permissions.
If implemented with real credentials, the generated server could allow an agent to disclose, modify, or delete database data depending on the database user's permissions.
The database example shows raw SQL supplied through an MCP tool with no restriction to read-only queries, approved templates, transaction safeguards, or human approval for mutations.
name: 'database_query', ... sql: z.string().describe('SQL查询语句'), ... const result = await pool.query(args.sql, args.params);Use least-privilege read-only database users where possible, restrict to approved parameterized query templates, block destructive statements, and require explicit human approval for high-impact database actions.
Users may not realize that implementing the database tool requires granting the MCP server access to a database account.
The example expects a database connection string from the environment, which is sensitive credential material, while the registry metadata lists no required environment variables.
const pool = new Pool({ connectionString: process.env.DATABASE_URL });Document DATABASE_URL or any other credential requirements clearly, use scoped database accounts, and avoid giving the MCP server broad production credentials.
Future installs may resolve to different package versions than the example was written for.
The setup instructions rely on external npm packages and version ranges. This is expected for a TypeScript MCP scaffold, but it leaves package provenance and exact versions to the user.
npm install @modelcontextprotocol/sdk zod ... "@modelcontextprotocol/sdk": "^0.5.0", "zod": "^3.22.0"
Pin dependency versions, commit a lockfile in real projects, and install packages from trusted registries.
A connected MCP client can trigger whatever capabilities the server exposes, including any file or database tools the user adds.
The scaffolded MCP server accepts tool calls from an MCP client over stdio and passes client-supplied arguments into handlers. This is normal MCP plumbing, but sensitive tools need trusted clients and clear permission boundaries.
const transport = new StdioServerTransport(); await this.server.connect(transport); ... setRequestHandler(CallToolRequestSchema, async (request) => { const { name, arguments: args } = request.params;Only connect trusted MCP clients, keep sensitive tools disabled by default, and document which clients are allowed to call which tools.