← Back to Skills Marketplace
yuyonghao-123

Mcp Client

by yuyonghao-123 · GitHub ↗ · v0.1.1 · MIT-0
cross-platform ⚠ suspicious
154
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install yuyonghao-mcp-client
Description
MCP Client skill connects and manages MCP servers via stdio or SSE, supporting tool calls, resource reads, prompts, permission control, auditing, and error h...
Usage Guidance
Do not install or run this skill without cleaning the bundled configuration and reviewing behavior. Specific actions to take before use: - Inspect src/mcp-config.json and remove or replace the hardcoded GITHUB_TOKEN. If that token is real, consider it leaked and rotate it immediately. - Replace absolute/local paths (e.g., C:\Users\99236\.openclaw\workspace) with safe workspace-relative paths or placeholders. - Avoid running the test scripts or the CLI in auto-approve mode until you understand the approvals: the CLI (when run directly) sets autoApprove: true and requireApproval: false and auto-approves '*', which will allow all tool/resource calls without prompts. - Understand that npm / npx will fetch and execute packages (e.g., @modelcontextprotocol/server-*). Run in an isolated environment (container or VM) if you need to test. - If you need GitHub access, configure tokens via environment variables at runtime (not commit them) and verify the code reads process.env rather than a baked-in value. - If you already ran this package with the included token, rotate the token and check GitHub logs for suspicious activity. - If you intend to use this as an OpenClaw skill, consider forking and removing sensitive defaults, disable auto-approve by default, and re-run security review before deployment.
Capability Analysis
Type: OpenClaw Skill Name: yuyonghao-mcp-client Version: 0.1.1 The bundle contains a hardcoded GitHub Personal Access Token (PAT) in 'src/mcp-config.json' (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), which is a critical security risk. The skill is designed to execute arbitrary commands via 'npx' to launch MCP servers as defined in the configuration, presenting a high risk of Remote Code Execution (RCE) if the configuration is modified. Additionally, multiple files (e.g., 'src/mcp-config.json' and 'test/mcp-servers.test.js') contain hardcoded absolute file paths specific to a developer's local environment, indicating poor security hygiene. While 'src/secure-client.js' implements some defensive features like sensitive path filtering and audit logging, the exposed credential and broad execution capabilities warrant a suspicious classification.
Capability Assessment
Purpose & Capability
Name/description and code align: this is an MCP client implementing stdio and SSE transports and tool/resource calls. However the shipped configuration (src/mcp-config.json) contains a hardcoded GitHub token and Windows user workspace paths that are unrelated to the declared 'no env vars required' metadata. Having a baked-in GITHUB_TOKEN and host-specific paths is disproportionate to a generic client library and suggests leaked or environment-specific config bundled into the package.
Instruction Scope
SKILL.md and CLI instruct running npm install, starting npx-based MCP servers, and running tests that will attempt real connections and may read local files. The CLI implementation (src/mcp-skill.js -> cli()) constructs the skill with autoApprove: true and requireApproval: false and autoApprovePatterns ['*'], effectively disabling approval in that mode — this broad, implicit auto-approval increases risk of unintended tool/resource access. Tests and integration scripts reference absolute local paths (C:\Users\99236\.openclaw\workspace) and will try to read those if run.
Install Mechanism
There is no registry install spec in the metadata (instruction-only from registry), but the package includes package.json/package-lock.json so the intended install is npm install (documented in SKILL.md). Dependencies come from npm (including an MCP SDK). Using npm and npx to spawn servers is expected for this functionality, but running npx to fetch and execute packages will run remote code — standard for this domain but worth noting.
Credentials
Registry metadata declares no required env vars, yet src/mcp-config.json contains an explicit GITHUB_TOKEN value (looks like a personal access token) and server configs that use process.env.GITHUB_TOKEN as a fallback. The skill will merge server env into subprocesses, so any token in the config would be passed to child processes. Hardcoded credentials in the repo are disproportionate and a high-risk finding: treat the token as compromised and rotate immediately if it is real.
Persistence & Privilege
always: false (good). The skill exports a default instance (export const mcpSkill = new OpenClawMCPSkill()) which reads/writes its own mcp-config.json in the skill directory when imported — normal for a skill that stores config. The more concerning behavior is that the CLI mode auto-approves operations (see instruction_scope). The skill does not request elevated system privileges or attempt to edit other skills' configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install yuyonghao-mcp-client
  3. After installation, invoke the skill by name or use /yuyonghao-mcp-client
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
- Updated version to 0.1.1 in package.json. - No changes to documentation or code; only package metadata version was incremented.
v0.1.0
Enhanced MCP client with security features, 55 tests passing
Metadata
Slug yuyonghao-mcp-client
Version 0.1.1
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Mcp Client?

MCP Client skill connects and manages MCP servers via stdio or SSE, supporting tool calls, resource reads, prompts, permission control, auditing, and error h... It is an AI Agent Skill for Claude Code / OpenClaw, with 154 downloads so far.

How do I install Mcp Client?

Run "/install yuyonghao-mcp-client" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Mcp Client free?

Yes, Mcp Client is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Mcp Client support?

Mcp Client is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Mcp Client?

It is built and maintained by yuyonghao-123 (@yuyonghao-123); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments