Skylv Mcp Server Creator
PassAudited by VirusTotal on May 3, 2026.
Overview
Type: OpenClaw Skill Name: skylv-mcp-server-creator Version: 1.0.0 The skill provides boilerplate code for building MCP servers that includes high-risk capabilities such as arbitrary file system operations (read, write, delete) and raw SQL execution in the 'fileTools' and 'dbTool' examples within SKILL.md. While these features align with the stated purpose of a server builder, the provided code lacks input sanitization or path validation, creating significant vulnerabilities like Path Traversal and SQL Injection if an AI agent implements them as written.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into a real MCP server, a connected agent or MCP client could read or overwrite files accessible to that server process.
The sample MCP file tool accepts arbitrary caller-supplied paths and supports sensitive filesystem operations without a base-directory allowlist, path validation, confirmation step, or sandbox.
operation: z.enum(['read', 'write', 'list', 'delete']), path: z.string(), ... await fs.readFile(args.path, 'utf-8'); ... await fs.writeFile(args.path, args.content || '');
Remove this tool by default or constrain it to an explicit project directory, validate paths, make it read-only unless necessary, require user confirmation for writes/deletes, and run the server with least-privilege OS permissions.
If implemented with real credentials, the generated server could allow an agent to disclose, modify, or delete database data depending on the database user's permissions.
The database example shows raw SQL supplied through an MCP tool with no restriction to read-only queries, approved templates, transaction safeguards, or human approval for mutations.
name: 'database_query', ... sql: z.string().describe('SQL查询语句'), ... const result = await pool.query(args.sql, args.params);Use least-privilege read-only database users where possible, restrict to approved parameterized query templates, block destructive statements, and require explicit human approval for high-impact database actions.
Users may not realize that implementing the database tool requires granting the MCP server access to a database account.
The example expects a database connection string from the environment, which is sensitive credential material, while the registry metadata lists no required environment variables.
const pool = new Pool({ connectionString: process.env.DATABASE_URL });Document DATABASE_URL or any other credential requirements clearly, use scoped database accounts, and avoid giving the MCP server broad production credentials.
Future installs may resolve to different package versions than the example was written for.
The setup instructions rely on external npm packages and version ranges. This is expected for a TypeScript MCP scaffold, but it leaves package provenance and exact versions to the user.
npm install @modelcontextprotocol/sdk zod ... "@modelcontextprotocol/sdk": "^0.5.0", "zod": "^3.22.0"
Pin dependency versions, commit a lockfile in real projects, and install packages from trusted registries.
A connected MCP client can trigger whatever capabilities the server exposes, including any file or database tools the user adds.
The scaffolded MCP server accepts tool calls from an MCP client over stdio and passes client-supplied arguments into handlers. This is normal MCP plumbing, but sensitive tools need trusted clients and clear permission boundaries.
const transport = new StdioServerTransport(); await this.server.connect(transport); ... setRequestHandler(CallToolRequestSchema, async (request) => { const { name, arguments: args } = request.params;Only connect trusted MCP clients, keep sensitive tools disabled by default, and document which clients are allowed to call which tools.