MCP Best Practices
v0.2.0Build production MCP servers with the TypeScript SDK. Covers spec 2025-11-25, SDK v1.28+/v2, transport selection, tool design, error handling, security, perf...
⭐ 0· 57·0 current·0 all-time
byMisha Kolesnik@tenequm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (MCP Best Practices) matches the provided artifacts: an explanatory SKILL.md plus multiple reference markdown files. The skill requests no binaries, env vars, config paths, or installs, which is appropriate for a documentation/reference skill.
Instruction Scope
SKILL.md contains many code examples, deployment patterns, and operational commands (e.g., npm, cloudflared examples, fs.readFile snippets) but these are example code for implementers rather than directives to access unrelated host files or secrets. Exercise normal caution before running any example commands on your machine; the guidance does not instruct the agent to read host files or exfiltrate data.
Install Mechanism
No install spec or code files are executed by the platform — the skill is instruction-only, so nothing will be downloaded or written to disk during install.
Credentials
The skill declares no required environment variables or credentials. Although examples reference payment/auth flows and tokens (as expected for server implementation guidance), the skill does not request secrets or unrelated credentials.
Persistence & Privilege
Flags show normal defaults (always: false, agent invocation allowed). The skill does not request persistent system presence or modify other skills/configuration. Autonomous invocation is allowed by default and is not, by itself, a threat here.
Assessment
This skill is a documentation/reference pack for MCP server best practices and appears internally consistent. Before using code snippets or running any commands shown: (1) verify the snippets come from a trusted source (the skill's source/homepage is unknown), (2) review and audit any shell commands (don't run copied commands as-is on production or machines with sensitive data), (3) confirm SDK and dependency versions match your environment, and (4) treat examples that expose services to the internet (cloudflared, public endpoints) with standard operational safeguards (authentication, firewalling, least privilege). The package uses an Apache-2.0 license — check compatibility with your project if you plan to copy/paste code.Like a lobster shell, security has layers — review code before you run it.
latestvk97a4k5cmtjjx31dsmkqhnbx7s844ghh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.