api-mcp-server

Integrates a cloud-hosted MCP server into Bun/Elysia APIs, enabling secure, multi-tenant access for AI agents with authentication.

Install this skill

or

31/100

Security score

The api-mcp-server skill was audited on Mar 8, 2026 and we found 21 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 301

Template literal with variable interpolation in command context

SourceSKILL.md

301	`Permission denied: tool "${toolName}" requires "${permission}" permission. ` +

medium line 302

Template literal with variable interpolation in command context

SourceSKILL.md

302	`Your permissions are: ${perms.join(", ")}`

medium line 745

Template literal with variable interpolation in command context

SourceSKILL.md

745	const RESOURCE_METADATA_URL = `${env.BETTER_AUTH_URL}/.well-known/oauth-protected-resource`;

medium line 757

Template literal with variable interpolation in command context

SourceSKILL.md

757	"www-authenticate": `Bearer resource_metadata="${RESOURCE_METADATA_URL}"`,

medium line 907

Template literal with variable interpolation in command context

SourceSKILL.md

907	instructions += `Your permissions: ${result.permissions.join(", ")}. `;

medium line 909

Template literal with variable interpolation in command context

SourceSKILL.md

909	instructions += `NOT available: ${deniedTools.join(", ")}.`;

medium line 1007

Template literal with variable interpolation in command context

SourceSKILL.md

1007	if (!group) throw new Error(`Folder ${targetGroupId} not found`);

medium line 1017

Template literal with variable interpolation in command context

SourceSKILL.md

1017	throw new Error(`Folder ${targetGroupId} is not accessible`);

medium line 1024

Template literal with variable interpolation in command context

SourceSKILL.md

1024	`ai:agent:${session.agentId}` // Track who created it

medium line 1067

Template literal with variable interpolation in command context

SourceSKILL.md

1067	resource: `${env.BETTER_AUTH_URL}/api/mcp`,

medium line 1173

Curl to non-GitHub URL

SourceSKILL.md

1173	curl -X POST https://your-api.com/api/mcp \

medium line 1179

Curl to non-GitHub URL

SourceSKILL.md

1179	curl -X POST https://your-api.com/api/mcp \

low line 1173

External URL reference

SourceSKILL.md

1173	curl -X POST https://your-api.com/api/mcp \

low line 1179

External URL reference

SourceSKILL.md

1179	curl -X POST https://your-api.com/api/mcp \

low line 1192

External URL reference

SourceSKILL.md

1192	"url": "https://your-api.com/api/mcp"

low line 1301

External URL reference

SourceSKILL.md

1301	`Bearer resource_metadata="https://..."` with the URL in double quotes. If

low line 1310

External URL reference

SourceSKILL.md

1310	- MCP Specification: https://modelcontextprotocol.io/

low line 1313

External URL reference

SourceSKILL.md

1313	https://www.rfc-editor.org/rfc/rfc9728

low line 1314

External URL reference

SourceSKILL.md

1314	- RFC 8414 (OAuth Server Metadata): https://www.rfc-editor.org/rfc/rfc8414

low line 1316

External URL reference

SourceSKILL.md

1316	- Drizzle ORM: https://orm.drizzle.team

low line 1317

External URL reference

SourceSKILL.md

1317	- Elysia: https://elysiajs.com

Scanned on Mar 8, 2026

View Security Dashboard

Install this skill with one command

/learn @ichabodcole/api-mcp-server

Rate this skill

Categorydevelopment

UpdatedMarch 29, 2026

openclaw api backend backend-developer ml-ai-engineer data-engineer postgresql development

ichabodcole/project-docs-scaffold-template