Mcp Builder test
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: mcp-builder-test Version: 0.1.1 The bundle provides a comprehensive framework for building and evaluating Model Context Protocol (MCP) servers, including Python scripts (connections.py, evaluation.py) and detailed agent instructions (SKILL.md). It is classified as suspicious because it grants the AI agent high-risk capabilities, specifically the ability to execute arbitrary shell commands via the stdio transport and perform network requests to fetch documentation and interact with the Anthropic API. While these behaviors are aligned with the stated purpose of developing and testing MCP servers, the inherent risk of arbitrary code execution and broad network access constitutes a significant attack surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the target MCP server exposes tools that create, delete, post, or modify account data, an evaluation run could invoke them under the user's credentials.
The harness gives Claude the full MCP tool list and automatically executes tool calls. The reference evaluation process calls for read-only tasks, but this code does not enforce read-only tools, block destructive annotations, or require user approval per call.
When given a task, you MUST:\n1. Use the available tools ... while response.stop_reason == "tool_use": ... tool_result = await connection.call_tool(tool_name, tool_input)
Run evaluations only against test servers or read-only credentials unless an explicit tool allowlist, destructive-tool filter, and per-call approval are added.
Data returned by evaluated MCP tools, and possibly error details, may be sent to Anthropic during evaluation.
Results returned by the target MCP server are added to the conversation sent to Anthropic's API. This is expected for a Claude-based evaluator, but it is an important data flow.
tool_response = json.dumps(tool_result) ... messages.append({ ... "content": tool_response }) ... client.messages.create(... messages=messages, tools=tools)Avoid running the evaluator on sensitive production data unless this provider data sharing is acceptable; prefer redaction, test datasets, and least-privilege/read-only tokens.
The evaluator can operate with whatever privileges are present in the supplied headers or environment variables.
The connection helper can pass environment variables and HTTP headers to MCP servers, which commonly include API keys, bearer tokens, or other credentials.
StdioServerParameters(command=self.command, args=self.args, env=self.env) ... sse_client(url=self.url, headers=self.headers)
Use dedicated, least-privilege credentials and avoid passing production admin tokens to evaluation runs.
Running an untrusted MCP server command through the evaluator could execute untrusted local code.
The stdio transport starts a user-specified command to connect to a local MCP server. This is normal MCP plumbing, but it means running the evaluator can execute local server commands.
return stdio_client(StdioServerParameters(command=self.command, args=self.args, env=self.env))
Only use stdio commands for MCP servers you trust and understand; prefer isolated environments for third-party servers.
If the helper scripts are installed later, dependency behavior could change over time.
The optional helper script dependencies use lower-bound version constraints rather than pinned versions, so future installs may resolve to different package versions.
anthropic>=0.39.0\nmcp>=1.1.0
For reproducible or production evaluation use, pin dependencies or use a lockfile in an isolated virtual environment.