Scan Report
0 /100
mcp-best-practices
Build production MCP servers with the TypeScript SDK. Covers spec 2025-11-25, SDK v1.28+/v2, transport selection, tool design, error handling, security, performance, known bugs with workarounds, MCP extensions, MCP Apps, authorization extensions, and the MCP Registry.
This is a pure Markdown documentation skill containing only reference guides for MCP best practices — no executable code, scripts, or binary dependencies. All pre-scan flags are educational examples within security documentation sections, not actual malicious behavior.
Safe to install
No action needed. This skill is safe to use.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No Read/Write tool declarations; skill contains only Markdown files |
| Network | NONE | NONE | — | No WebFetch or network tool declarations |
| Shell | NONE | NONE | — | No Bash tool declarations; pre-scan 'rm -rf /' is a documented attack example in… |
| Environment | NONE | NONE | — | No environment variable access |
| Skill Invoke | NONE | NONE | — | No skill_invoke capability declared |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser tool declared |
| Database | NONE | NONE | — | No database access |
1 Critical 2 High 20 findings
Critical Dangerous Command 危险 Shell 命令
rm -rf / references/security-auth.md:155 High IP Address 硬编码 IP 地址
169.254.169.254 references/security-auth.md:124 High IP Address 硬编码 IP 地址
169.254.0.0 references/security-auth.md:128 Medium External URL 外部 URL
https://www.apache.org/licenses/ LICENSE.txt:3 Medium External URL 外部 URL
https://spec.modelcontextprotocol.io SKILL.md:16 Medium External URL 外部 URL
https://modelcontextprotocol.io/registry/about SKILL.md:22 Medium External URL 外部 URL
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13 SKILL.md:309 Medium External URL 外部 URL
https://modelcontextprotocol.io/seps/2133-extensions references/extensions-registry.md:70 Medium External URL 外部 URL
https://modelcontextprotocol.io/community/sep-guidelines references/extensions-registry.md:72 Medium External URL 外部 URL
https://modelcontextprotocol.io/registry/quickstart references/extensions-registry.md:171 Medium External URL 外部 URL
https://modelcontextprotocol.io/registry/github-actions references/extensions-registry.md:173 Medium External URL 外部 URL
https://modelcontextprotocol.io/registry/versioning references/extensions-registry.md:185 Medium External URL 外部 URL
https://mcpui.dev/ references/mcp-apps.md:43 Medium External URL 外部 URL
https://apps.extensions.modelcontextprotocol.io/api/documents/Patterns.html#configuring-csp-and-cors references/mcp-apps.md:217 Medium External URL 外部 URL
https://apps.extensions.modelcontextprotocol.io/api/modules/app-bridge.html references/mcp-apps.md:292 Medium External URL 外部 URL
https://apps.extensions.modelcontextprotocol.io/api/ references/mcp-apps.md:294 Medium External URL 外部 URL
https://evil.com/exfil references/security-auth.md:154 Medium External URL 外部 URL
https://your-server.com/mcp references/security-auth.md:210 Medium External URL 外部 URL
https://auth.your-server.com references/security-auth.md:211 Medium External URL 外部 URL
https://mcp.example.com/.well-known/oauth-protected-resource references/security-auth.md:236 File Tree
9 files · 95.0 KB · 2433 lines Markdown 8f · 2271L
Text 1f · 162L
├─
▾
references
│ ├─
error-handling.md
Markdown
│ ├─
extensions-registry.md
Markdown
│ ├─
mcp-apps.md
Markdown
│ ├─
security-auth.md
Markdown
│ ├─
tool-schema-guide.md
Markdown
│ ├─
transport-patterns.md
Markdown
│ └─
v2-migration.md
Markdown
├─
LICENSE.txt
Text
└─
SKILL.md
Markdown
Security Positives
✓ No executable code or scripts present — pure documentation skill
✓ No dependencies (no package.json, requirements.txt, etc.)
✓ All pre-scan flags are false positives: 'rm -rf /' and AWS metadata IPs are educational examples in security-auth.md
✓ SKILL.md accurately describes the skill as a decision reference for MCP best practices
✓ No credential harvesting, data exfiltration, obfuscation, or persistence mechanisms
✓ No supply chain risks — no third-party dependencies