Mcp Builder test
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the target MCP server exposes tools that create, delete, post, or modify account data, an evaluation run could invoke them under the user's credentials.
The harness gives Claude the full MCP tool list and automatically executes tool calls. The reference evaluation process calls for read-only tasks, but this code does not enforce read-only tools, block destructive annotations, or require user approval per call.
When given a task, you MUST:\n1. Use the available tools ... while response.stop_reason == "tool_use": ... tool_result = await connection.call_tool(tool_name, tool_input)
Run evaluations only against test servers or read-only credentials unless an explicit tool allowlist, destructive-tool filter, and per-call approval are added.
Data returned by evaluated MCP tools, and possibly error details, may be sent to Anthropic during evaluation.
Results returned by the target MCP server are added to the conversation sent to Anthropic's API. This is expected for a Claude-based evaluator, but it is an important data flow.
tool_response = json.dumps(tool_result) ... messages.append({ ... "content": tool_response }) ... client.messages.create(... messages=messages, tools=tools)Avoid running the evaluator on sensitive production data unless this provider data sharing is acceptable; prefer redaction, test datasets, and least-privilege/read-only tokens.
The evaluator can operate with whatever privileges are present in the supplied headers or environment variables.
The connection helper can pass environment variables and HTTP headers to MCP servers, which commonly include API keys, bearer tokens, or other credentials.
StdioServerParameters(command=self.command, args=self.args, env=self.env) ... sse_client(url=self.url, headers=self.headers)
Use dedicated, least-privilege credentials and avoid passing production admin tokens to evaluation runs.
Running an untrusted MCP server command through the evaluator could execute untrusted local code.
The stdio transport starts a user-specified command to connect to a local MCP server. This is normal MCP plumbing, but it means running the evaluator can execute local server commands.
return stdio_client(StdioServerParameters(command=self.command, args=self.args, env=self.env))
Only use stdio commands for MCP servers you trust and understand; prefer isolated environments for third-party servers.
If the helper scripts are installed later, dependency behavior could change over time.
The optional helper script dependencies use lower-bound version constraints rather than pinned versions, so future installs may resolve to different package versions.
anthropic>=0.39.0\nmcp>=1.1.0
For reproducible or production evaluation use, pin dependencies or use a lockfile in an isolated virtual environment.