The Agent Skills Directory

Framework and SDK Usage: The skill utilizes standard, vendor-supported libraries such as @modelcontextprotocol/sdk and @modelcontextprotocol/ext-apps to facilitate communication between MCP servers and UI components.
Security-First Architecture: Significant emphasis is placed on the use of sandboxed iframes and restrictive CSP settings to isolate UI widgets, preventing them from accessing sensitive host data or making unauthorized network requests.
Resource Inlining Pattern: The skill documents a specific technique for inlining the required JavaScript bundle into widget HTML. This approach is a technical necessity to comply with platform-level security constraints (such as the blocking of external script fetches) and is implemented using local file reads of specified packages.
Abuse Protection and Best Practices: Detailed guidance is provided on implementing rate limiting, IP tiering (using official Anthropic egress ranges), and request caching to protect hosted servers from potential abuse.
Secure Navigation and File Handling: The documentation correctly identifies that standard browser features like window.open are restricted by the sandbox and instructs developers to use host-mediated APIs like app.openLink and app.downloadFile for these actions.
Payload Management: Strategies for managing large tool results are included to ensure application stability and prevent client-side parsing errors associated with host-enforced character limits.

build-mcp-app