build-mcp-server-sdk-v1
Pass
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill serves as a purely educational developer guide for the Model Context Protocol (MCP) TypeScript SDK v1.x. It focuses on technical implementation, protocol specifications, and architectural best practices with no malicious instructions detected.
- [CREDENTIALS_UNSAFE]: The documentation explicitly identifies hardcoding secrets as an anti-pattern. While the skill contains example credential strings in 'references/patterns/anti-patterns.md', these are clearly labeled as 'BAD' examples to teach developers what to avoid, and the skill correctly recommends using environment variables for sensitive data.
- [COMMAND_EXECUTION]: The provided code recipes for filesystem and database interactions include built-in security mitigations, such as path traversal validation for file access and read-only 'SELECT' checks for SQL queries.
- [EXTERNAL_DOWNLOADS]: All external dependencies recommended in the setup guides (e.g., @modelcontextprotocol/sdk, zod, express) are well-known, legitimate packages from the official NPM registry, used for their intended development purposes.
- [SAFE]: The skill includes extensive documentation on Spec Enhancement Proposals (SEPs) regarding authentication and security, including OAuth 2.1 implementation and DNS rebinding protection, promoting the development of secure software.
Audit Metadata