@stranzwersweb2/skillsmp-mcp
v1.1.0
Published
MCP server for SkillsMP — search, scan, install & uninstall Claude Code skills with built-in security scanning
Maintainers
Readme
skillsmp-mcp
An MCP (Model Context Protocol) server for SkillsMP — the marketplace for Claude Code skills. Search, scan for security threats, install, and uninstall skills directly from your AI assistant.
The only tool that gates skill installation behind a full security scan.
Features
- Search — Keyword and AI-powered semantic search across the SkillsMP marketplace
- Security Scan — 60+ threat patterns: prompt injection, reverse shells, credential theft, supply chain attacks, crypto mining, obfuscation
- Install — Download skills from GitHub to
~/.claude/skills/with automatic security gate - Uninstall — Clean removal of installed skills
- Safe Search — Combined search + auto-scan in one step
Tools (6)
| Tool | Description |
|------|-------------|
| skillsmp_search | Keyword search across SkillsMP marketplace |
| skillsmp_ai_search | AI-powered semantic search (Cloudflare AI) |
| skillsmp_scan_skill | Security scan a GitHub skill repo (60+ patterns) |
| skillsmp_search_safe | Search + auto-scan top results |
| skillsmp_install_skill | Scan then install to ~/.claude/skills/ |
| skillsmp_uninstall_skill | Remove an installed skill |
Install
Works with any MCP-compatible client — Claude Code, OpenClaw, Cursor, Windsurf, nanobot, and more.
Claude Code
Add to ~/.claude/settings.json:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsmp-mcp"]
}
}
}OpenClaw
Add to ~/.openclaw/mcp.json:
{
"mcpServers": {
"skillsmp": {
"version": "1.0.0",
"autoUpdate": false,
"command": "npx",
"args": ["-y", "@stranzwersweb2/[email protected]"]
}
}
}OpenClaw uses the same
SKILL.mdformat as Claude Code. Skills installed via this server are compatible with both platforms. OpenClaw users should pin versions and review tool policies per the security hardening guide.
Cursor
Add to .cursor/mcp.json in your project root:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsmp-mcp"]
}
}
}Windsurf
Add to ~/.windsurf/mcp.json:
{
"mcpServers": {
"skillsmp": {
"command": "npx",
"args": ["-y", "@stranzwersweb2/skillsmp-mcp"]
}
}
}Global install
npm install -g @stranzwersweb2/skillsmp-mcpThen reference in any MCP config:
{
"mcpServers": {
"skillsmp": {
"command": "skillsmp-mcp"
}
}
}Client Compatibility
| Client | Config Path | Skill Format |
|--------|------------|--------------|
| Claude Code | ~/.claude/settings.json | SKILL.md in ~/.claude/skills/ |
| OpenClaw | ~/.openclaw/mcp.json | SKILL.md (same format, ClawHub registry) |
| Cursor | .cursor/mcp.json | MCP tools only |
| Windsurf | ~/.windsurf/mcp.json | MCP tools only |
| nanobot | MCP config | MCP tools only |
Security Model
Installation is gated by a multi-level security scan:
| Risk Level | Behavior |
|------------|----------|
| Safe / Low | Install proceeds, warnings shown |
| Medium / High | Install blocked — requires force: true to override |
| Critical | Install permanently blocked — no override |
Additional Safety Guards
- Path traversal prevention on skill names and filenames
- SSRF prevention — only
github.comURLs accepted npm install --ignore-scripts— blockspostinstallattacks- Max 50 files, 2MB total size limit
- Binary files skipped, suspicious filenames flagged
- Content hash for TOCTOU verification
How It Works
Search SkillsMP → Pick a skill → Security scan (60+ patterns)
↓
Critical? → BLOCKED
Medium/High? → Requires force=true
Safe/Low? → Download from GitHub
↓
Write to ~/.claude/skills/<name>/
↓
npm install --ignore-scripts (if needed)
↓
Restart your MCP client to loadExamples
Ask your AI assistant:
Search for git-related skills on SkillsMPScan this skill for security issues: https://github.com/user/repo/tree/main/skills/my-skillInstall the commit skill from https://github.com/user/repo/tree/main/skills/commitUninstall the commit skillDevelopment
git clone https://github.com/adityasugandhi/skillsmp-mcp.git
cd skillsmp-mcp
npm install
npm run build
npm run dev # Watch mode with tsxRequirements
- Node.js >= 20
- Any MCP-compatible client (Claude Code, OpenClaw, Cursor, Windsurf, nanobot, etc.)
Author
Aditya Sugandhi — adityasugandhi.com | GitHub
License
MIT - Aditya Sugandhi
