mcp-builder Security Report — Trusted | ClawSafe

5 /100

mcp-builder

Guide for creating high-quality MCP (Model Context Protocol) servers

This is a legitimate MCP server development guide skill with no security issues - it's a documentation and guidance tool with no malicious behavior.

Skill Namemcp-builder

Duration31.3s

Enginepi

✓

Safe to install

This skill is safe to use. No action required.

Findings 1 items

Severity	Finding	Location
Low	Dependencies not version pinned Supply Chain requirements.txt uses loose version constraints (>=) for anthropic and mcp packages. While not malicious, version pinning would improve reproducibility and prevent potential supply chain issues. `anthropic>=0.39.0 mcp>=1.1.0` → Pin exact versions in production use (e.g., anthropic==0.39.0) to ensure consistent behavior	`scripts/requirements.txt:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ`	`READ`	✓ Aligned	SKILL.md: Read local documentation and reference files
Network	`READ`	`READ`	✓ Aligned	SKILL.md: Fetch SDK documentation from GitHub URLs
Shell	`WRITE`	`WRITE`	✓ Aligned	scripts/evaluation.py: Execute local MCP servers for testing

5 findings

🔗

Medium External URL 外部 URL

http://www.apache.org/licenses/

LICENSE.txt:4

🔗

Medium External URL 外部 URL

http://www.apache.org/licenses/LICENSE-2.0

LICENSE.txt:196

🔗

Medium External URL 外部 URL

https://modelcontextprotocol.io/sitemap.xml

SKILL.md:41

🔗

Medium External URL 外部 URL

https://modelcontextprotocol.io/specification/draft.md

SKILL.md:43

🔗

Medium External URL 外部 URL

https://api.example.com/v1

reference/node_mcp_server.md:601

File Tree

11 files · 119.1 KB · 3528 lines

Markdown 5f · 2773L Python 2f · 524L Text 2f · 203L XML 1f · 22L JSON 1f · 6L

├─ ▾ 📁 reference

│ ├─ 📝 evaluation.md Markdown 601L · 21.2 KB

│ ├─ 📝 mcp_best_practices.md Markdown 249L · 7.2 KB

│ ├─ 📝 node_mcp_server.md Markdown 969L · 27.9 KB

│ └─ 📝 python_mcp_server.md Markdown 718L · 24.5 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 connections.py Python 151L · 4.8 KB

│ ├─ 🐍 evaluation.py Python 373L · 12.3 KB

│ ├─ 📄 example_evaluation.xml XML 22L · 1.2 KB

│ └─ 📄 requirements.txt Text 2L · 29 B

├─ 📋 .openskills.json JSON 6L · 191 B

├─ 📄 LICENSE.txt Text 201L · 11.1 KB

└─ 📝 SKILL.md Markdown 236L · 8.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`anthropic`	`>=0.39.0`	pip	No	Version not pinned
`mcp`	`>=1.1.0`	pip	No	Version not pinned

Security Positives

✓ Clean codebase with no obfuscation or suspicious patterns

✓ Documentation accurately describes all functionality

✓ No credential theft, data exfiltration, or reverse shell attempts

✓ Uses official MCP SDK (mcp package)

✓ Well-structured code with proper error handling

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Shell execution is scoped to launching local MCP servers for evaluation

Scan Report

Findings 1 items

File Tree

Dependencies 2 items

Security Positives