← 返回 Skills 市场
236
总下载
1
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mcp-to-skill
功能描述
Converts any MCP server into a standalone skill package with zero runtime dependencies (no MCP process required). Trigger when user says: "convert this MCP t...
安全使用建议
This skill performs network downloads, extracts npm packages, and runs a user-supplied MCP start command — which will execute arbitrary code. Before installing or running it: (1) do not run it with sensitive credentials present; remove or rotate tokens you don't want exposed; (2) prefer providing a schema JSON instead of a start command so no remote package is executed; (3) run mcp_inspector and the skill generation in an isolated environment (container/VM) and inspect the extracted package and generated SKILL.md/secrets.json before registering; (4) expect the skill to call pip/npm/tar at runtime — if you require an explicit install policy or denylist, ask the author to declare required binaries and to avoid auto-downloading packages. These mismatches (no declared binaries/env but runtime downloads and execution) are why I rate the package suspicious.
功能分析
Type: OpenClaw Skill
Name: mcp-to-skill
Version: 1.0.0
The skill automates the conversion of MCP servers into standalone skills by downloading source code via 'npm pack', extracting it, and using an AI agent to infer and execute shell commands. Key risks include the automated execution of AI-inferred 'read-only' commands (Step 4 in SKILL.md) and the modification of the agent's environment by symlinking new skills into ~/.claude/skills (Step 6). While these actions align with the tool's stated purpose, they provide a mechanism for potential remote code execution and persistence if the input MCP server or the AI's inferences are untrusted.
能力评估
Purpose & Capability
The skill claims to convert an MCP server to a skill without runtime dependencies, but the SKILL.md and mcp_inspector.py require runtime tools: Python, pip, the 'mcp' Python package, npm, tar and ability to start the provided MCP command. Registry metadata lists no required binaries/env vars, which is inconsistent with what the skill actually needs to do.
Instruction Scope
Instructions tell the agent to: run the user-supplied MCP start command (which spawns arbitrary code), run mcp_inspector.py, download and extract npm packages, read/write temp files (/tmp/...), read source code (when available), and execute inferred read-only HTTP/CLI commands for verification. These actions are within the stated conversion purpose but give the skill broad discretion to execute user-provided commands and contact external networks; that expands scope beyond a simple static analysis tool.
Install Mechanism
There is no formal install spec, but runtime steps include 'pip install mcp' and mcp_inspector.py calls 'npm pack' and 'tar' to download and extract packages into /tmp. Downloading, extracting, and interacting with npm packages from arbitrary package names is higher risk and is not declared in the registry metadata.
Credentials
The skill declares no required env vars or credentials, yet SKILL.md instructs reading secrets.json and environment variables (e.g., X_API_TOKEN) for generated skills, and mcp_inspector will create files under /tmp and a cache dir. The skill may therefore access local secrets or tokens implicitly even though none are declared.
Persistence & Privilege
always is false and the skill does not request forced/system-wide persistence. The SKILL.md instructs registering the generated skill with the agent (expected for its purpose). Autonomous invocation (model invocation enabled) is default but not by itself a new risk here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mcp-to-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/mcp-to-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
mcp-to-skill v1.0.0
- Introduces a tool for converting any MCP server into a standalone skill package with zero runtime dependencies.
- Guides users through extracting tool schemas, analyzing code or documentation, and generating a ready-to-use skill—no MCP process required.
- Provides configurable language support for generated files.
- Ensures secrets safety by separating public config and sensitive credentials.
- Supports auto-registration with popular AI agent frameworks, with fallback to manual instructions.
- Optionally prompts users to remove the original MCP configuration after conversion.
元数据
常见问题
mcp-to-skill 是什么?
Converts any MCP server into a standalone skill package with zero runtime dependencies (no MCP process required). Trigger when user says: "convert this MCP t... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 236 次。
如何安装 mcp-to-skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mcp-to-skill」即可一键安装,无需额外配置。
mcp-to-skill 是免费的吗?
是的,mcp-to-skill 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
mcp-to-skill 支持哪些平台?
mcp-to-skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 mcp-to-skill?
由 JalanChao(@jalanchao)开发并维护,当前版本 v1.0.0。
推荐 Skills