skills-server
Verified Safeby ivanenev
Overview
Serves specialized prompt libraries (skills) and provides a token-efficient bridge to hierarchical tool systems for AI clients.
Installation
skills-serverEnvironment Variables
- SKILLS_DIR
- LAZY_MCP_ENABLED
- LAZY_MCP_COMMAND
- CACHE_DURATION
- LOG_LEVEL
Security Notes
The server uses `child_process.spawn` to execute the `LAZY_MCP_COMMAND` for Lazy-MCP integration. This command is configurable via an environment variable (`LAZY_MCP_COMMAND`). If an attacker can control this environment variable and point it to a malicious executable, it can lead to arbitrary code execution. However, the documentation explicitly warns users to set this to a trusted, absolute path. The server includes robust defenses against path traversal (in skill directory names), injection attacks, malformed JSON-RPC requests, and resource exhaustion, as evidenced by dedicated security tests. No direct `eval` or code obfuscation was identified in the provided source.
Similar Servers
skillz
Acts as an MCP server to expose Claude-style skills and their resources as callable tools for AI agents.
claude-prompts-mcp
Enhances AI assistant behavior through structured prompt management, multi-step chains, quality gates, and autonomous verification loops, primarily for development tasks.
compound-mcp-server
Provides a Model Context Protocol (MCP) server for interacting with Groq models, including compound/meta models, exposing tools for real-time information and code execution capabilities from the Groq AI.
emceepee
A proxy server enabling AI agents to dynamically connect to and interact with multiple Model Context Protocol (MCP) backend servers, exposing the full MCP protocol via a simplified tool interface or a sandboxed JavaScript execution environment.