# Skill Management MCP Server
A Model Context Protocol (MCP) server that enables Claude to manage skills stored in `~/.skill-mcp/skills`. This system allows Claude to create, edit, run, and manage skills programmatically, including execution of skill scripts with environment variables.
## Quick Status
**Status:** ✅ Production Ready
**Test Coverage:** 82% (78/78 tests passing)
**Deployed:** October 18, 2025
**Architecture:** 19-module modular Python package
## Overview
This project consists of two main components:
1. **MCP Server** (`src/skill_mcp/server.py`) - A refactored Python package providing 9 tools for skill management
2. **Skills Directory** (`~/.skill-mcp/skills/`) - Where you store and manage your skills
## Key Advantages
### 🔓 Not Locked to Claude UI
Unlike the Claude interface, this system uses the **Model Context Protocol (MCP)**, which is:
- ✅ **Universal** - Works with Claude Desktop, claude.ai, Cursor, and any MCP-compatible client
- ✅ **Not tied to Claude** - Same skills work everywhere MCP is supported
- ✅ **Future-proof** - Not dependent on Claude's ecosystem or policy changes
- ✅ **Local-first** - Full control over your skills and data
### 🎯 Use Skills Everywhere
Your skills can run in:
- **Cursor** - IDE integration with MCP support
- **Claude Desktop** - Native app with MCP access
- **claude.ai** - Web interface with MCP support
- **Any MCP client** - Growing ecosystem of compatible applications
### 📦 Independent & Modular
- ✅ Each skill is self-contained with its own files, scripts, and environment
- ✅ No dependency on proprietary Claude features
- ✅ Can be versioned, shared, and reused across projects
- ✅ Standard MCP protocol ensures compatibility
### 🤖 LLM-Managed Skills (No Manual Copy-Paste)
Instead of manually copying, zipping, and uploading files:
```
❌ OLD WAY: Manual process
1. Create skill files locally
2. Zip the skill folder
3. Upload to Claude interface
4. Wait for processing
5. Can't easily modify or version
✅ NEW WAY: LLM-managed programmatically
1. Tell Claude: "Create a new skill called 'data-processor'"
2. Claude creates the skill directory and SKILL.md
3. Tell Claude: "Add a Python script to process CSVs"
4. Claude creates and tests the script
5. Tell Claude: "Set the API key for this skill"
6. Claude updates the .env file
7. Tell Claude: "Run the script with this data"
8. Claude executes it and shows results - all instantly!
```
**Key Benefits:**
- ✅ **No manual file operations** - LLM handles creation, editing, deletion
- ✅ **Instant changes** - No upload/download/reload cycles
- ✅ **Full version control** - Skills are regular files, can use git
- ✅ **Easy modification** - LLM can edit scripts on the fly
- ✅ **Testable** - LLM can create and run scripts immediately
- ✅ **Collaborative** - Teams can develop skills together via MCP
## Features
### Skill Management
- ✅ List all available skills
- ✅ Browse skill files and directory structure
- ✅ Read skill files (SKILL.md, scripts, references, assets)
- ✅ Create new skill files and directories
- ✅ Update existing skill files
- ✅ Delete skill files
### Script Execution
- ✅ Run Python, Bash, and other executable scripts
- ✅ **Automatic dependency management** for Python scripts using uv inline metadata (PEP 723)
- ✅ Automatic environment variable injection from secrets
- ✅ Command-line argument support
- ✅ Custom working directory support
- ✅ Capture stdout and stderr
- ✅ 30-second timeout for safety
### Environment Variables
- ✅ List environment variable keys (secure - no values shown)
- ✅ Set or update environment variables
- ✅ Persistent storage in `~/.skill-mcp/secrets`
- ✅ Automatic injection into script execution
## Directory Structure
```
~/.skill-mcp/
├── skill_mcp_server.py # The MCP server (you install this)
├── secrets # Environment variables (JSON format)
└── skills/ # Your skills directory
├── example-skill/
│ ├── SKILL.md # Required: skill definition
│ ├── scripts/ # Optional: executable scripts
│ ├── references/ # Optional: documentation
│ └── assets/ # Optional: templates, files
└── another-skill/
└── SKILL.md
```
## Quick Start
### 1. Install uv
This project uses [uv](https://github.com/astral-sh/uv) for fast, reliable Python package management.
```bash
# Install uv
curl -LsSf https://astral.sh/uv/install.sh | sh
```
### 2. Install the MCP Server
```bash
# Create directory
mkdir -p ~/.skill-mcp
# Copy all project files
cp -r src tests pyproject.toml ~/.skill-mcp/
# Install dependencies (uv auto-creates .venv)
cd ~/.skill-mcp
uv sync
```
### 3. Configure Claude
Add the MCP server to your Claude configuration:
**Claude Desktop** - Edit the config file:
- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
- Windows: `%APPDATA%\Claude\claude_desktop_config.json`
- Linux: `~/.config/Claude/claude_desktop_config.json`
```json
{
"mcpServers": {
"skill-mcp": {
"command": "uv",
"args": [
"run",
"--directory",
"/Users/yourname/.skill-mcp",
"-m",
"skill_mcp.server"
]
}
}
}
```
**Important:** Replace `/Users/yourname/.skill-mcp` with your actual absolute path!
**claude.ai** - Use the web interface:
1. Go to Settings > Developer > MCP Servers
2. Add new MCP server with the same configuration
### 4. Restart Claude
Restart Claude Desktop or refresh claude.ai to load the new MCP server.
### 5. Test It
In a new conversation:
```
List all available skills
```
Claude should use the skill-mcp tools to show skills in `~/.skill-mcp/skills/`.
## Common uv Commands
For development in this repository:
```bash
uv sync # Install/update dependencies
uv run python script.py # Run Python with project environment
uv add package-name # Add a new dependency
uv pip list # Show installed packages
uv run pytest tests/ -v # Run tests
```
**Note:** uv automatically creates and manages `.venv/` - no need to manually create virtual environments!
## Script Dependencies (PEP 723)
Python scripts can declare their own dependencies using uv's inline metadata. The server automatically detects this and uses `uv run` to handle dependencies:
```python
#!/usr/bin/env python3
# /// script
# dependencies = [
# "requests>=2.31.0",
# "pandas>=2.0.0",
# ]
# ///
import requests
import pandas as pd
# Your script code here - dependencies are automatically installed!
response = requests.get("https://api.example.com/data")
df = pd.DataFrame(response.json())
print(df.head())
```
**Benefits:**
- ✅ No manual dependency installation needed
- ✅ Each script has isolated dependencies
- ✅ Works automatically when run via `run_skill_script`
- ✅ Version pinning ensures reproducibility
**How it works:**
1. You add inline metadata to your Python script
2. When the script runs via `run_skill_script`, the server detects the metadata
3. uv automatically creates an isolated environment and installs dependencies
4. The script runs with access to those dependencies
5. No manual `pip install` or virtual environment management needed!
**Example:** See `example-skill/scripts/fetch_data.py` for a working example.
**Testing locally:**
```bash
# Scripts with dependencies just work!
uv run example-skill/scripts/fetch_data.py
```
## Usage Examples
### Creating a New Skill
```
User: "Create a new skill called 'pdf-processor' that can rotate and merge PDFs"
Claude will:
1. Create the skill directory and SKILL.md
2. Add any necessary scripts
3. Test the scripts
4. Guide you through setting up any needed dependencies
```
### Managing Environment Variables
```
User: "I need to set up a GitHub API token for my GitHub skills"
Claude will:
1. Ask for your token value
2. Store it securely using set_env
3. Confirm it's available for scripts to use
```
### Running Skill Scripts
```
User: "Run the data processing script from my analytics skill"
Claude will:
1. List available skills and scripts
2. Execute the script with environment variables
3. Show you the output and any errors
```
### Modifying Existing Skills
```
User: "Add a new reference document about our API schema to the company-knowledge skill"
Claude will:
1. Read the existing skill structure
2. Create the new reference file
3. Update SKILL.md if needed to reference it
```
## Available MCP Tools
The server provides these tools to Claude:
| Tool | Purpose |
|------|---------|
| `list_skills` | List all skills in ~/.skill-mcp/skills |
| `get_skill_files` | List files in a specific skill |
| `read_skill_file` | Read content of a skill file |
| `create_skill_file` | Create a new file in a skill |
| `update_skill_file` | Update an existing skill file |
| `delete_skill_file` | Delete a skill file |
| `run_skill_script` | Execute a script with environment variables |
| `list_env_keys` | List environment variable names |
| `set_env` | Set an environment variable |
## Security Features
### Path Validation
- All file paths are validated to prevent directory traversal attacks
- Paths with ".." or starting with "/" are rejected
- All operations are confined to the skill directory
### Environment Variables
- Variable values are never exposed when listing
- Stored in a separate secrets file
- File permissions should be restricted (chmod 600)
### Script Execution
- 30-second timeout prevents infinite loops
- Scripts run with user's permissions (not elevated)
- Output size limits prevent memory issues
- Capture both stdout and stderr for debugging
## Troubleshooting
### "MCP server not found"
- Check that `uv` is in your PATH: `which uv` (or `where uv` on Windows)
- Verify the path to `.skill-mcp` directory is correct and absolute
- Test dependencies: `cd ~/.skill-mcp && uv run python -c "import mcp; print('OK')"`
- Ensure `pyproject.toml` exists in `~/.skill-mcp/`
### "Permission denied" errors
```bash
chmod +x ~/.skill-mcp/skill_mcp_server.py
chmod 755 ~/.skill-mcp
chmod 755 ~/.skill-mcp/skills
chmod 600 ~/.skill-mcp/secrets
```
### Scripts failing to execute
- Check script has execute permissions
- Verify interpreter (python3, bash) is in PATH
- Use `list_env_keys` to check required variables are set
- Check stderr output from `run_skill_script`
### Environment variables not working
- Verify they're set: use `list_env_keys`
- Check the secrets file exists: `cat ~/.skill-mcp/secrets`
- Ensure your script is reading from `os.environ`
## Advanced: Tool Descriptions for LLMs
All MCP tools have been enhanced with detailed descriptions to prevent confusion:
### Skill Tools
- **list_skills** - Lists all skills with descriptions, paths, and validation status
- **get_skill_details** - Complete skill information: SKILL.md content, all files, scripts, environment variables
### File Tools
- **read_skill_file** - Read any file in a skill directory
- **create_skill_file** - Create new files (auto-creates parent directories)
- **update_skill_file** - Update existing files (replaces entire content)
- **delete_skill_file** - Delete files permanently (path-traversal protected)
### Script Tools
- **run_skill_script** - Execute scripts with automatic PEP 723 dependency detection
- **read_skill_env** - List environment variables (keys only, values hidden for security)
- **update_skill_env** - Create/update skill's .env file
## Advanced Configuration
### Custom Directories
Edit `skill_mcp_server.py` to change default locations:
```python
# Change skills directory
SKILLS_DIR = Path("/custom/path/to/skills")
# Change secrets file location
SECRETS_FILE = Path("/custom/path/to/secrets")
```
### Resource Limits
Adjust limits in `skill_mcp_server.py`:
```python
MAX_FILE_SIZE = 1_000_000 # File read limit (1MB)
MAX_OUTPUT_SIZE = 100_000 # Script output limit (100KB)
```
Script timeout in the `run_skill_script` function:
```python
result = subprocess.run(cmd, timeout=30) # 30 seconds
```
## Architecture & Implementation
### Package Structure
```
src/skill_mcp/
├── server.py # MCP server entry point
├── models.py # Pydantic input/output models
├── core/
│ ├── config.py # Configuration constants
│ └── exceptions.py # Custom exception types
├── services/
│ ├── env_service.py # .env file management
│ ├── file_service.py # File operations
│ ├── skill_service.py # Skill discovery & metadata
│ └── script_service.py # Script execution
├── utils/
│ ├── path_utils.py # Secure path validation
│ ├── yaml_parser.py # YAML frontmatter parsing
│ └── script_detector.py # Script capability detection
└── tools/
├── skill_tools.py # Skill management tools
├── file_tools.py # File operation tools
└── script_tools.py # Script execution tools
tests/
├── conftest.py # Pytest fixtures
└── 9 test modules # 78 tests (82% coverage passing)
```
### What's New
**Enhanced Features:**
- ✅ Skill descriptions extracted from YAML frontmatter
- ✅ Comprehensive skill details (files, scripts, metadata)
- ✅ File type detection (Python, Markdown, etc.)
- ✅ Executable identification with metadata
- ✅ **PEP 723 uv dependency detection** - scripts declare own dependencies
- ✅ Per-skill environment variables (.env files)
- ✅ Automatic dependency management for scripts
**Breaking Changes:**
- Removed global `~/.skill-mcp/secrets` (now per-skill .env files)
- Removed `list_env_keys` and `set_env` global tools
- Replaced `get_skill_files` with more comprehensive `get_skill_details`
## Test Results
### Unit Tests: 78/78 Passing ✅
**Coverage: 82% (522/641 statements covered)**
Comprehensive test coverage across all modules:
| Module | Coverage | Tests |
|--------|----------|-------|
| Core Config | 100% | All paths |
| Models | 100% | Input/Output validation |
| Exception Handling | 100% | All exception types |
| YAML Parser | 90% | Frontmatter parsing |
| Skill Service | 90% | Skill discovery & metadata |
| File Service | 89% | File operations |
| Environment Service | 83% | .env management |
| Skill Tools | 85% | Skill management tools |
| File Tools | 79% | File operation tools |
| Script Detector | 87% | Script capability detection |
| Path Utils | 86% | Path validation & security |
| Server | 67% | MCP tool registration |
| Script Service | 53% | Script execution |
| Script Tools | 61% | Script execution tools |
**Test Breakdown:**
- ✅ Path utilities: 4 tests
- ✅ YAML parsing: 7 tests
- ✅ Environment service: 7 tests
- ✅ File service: 4 tests
- ✅ Skill service: 5 tests
- ✅ Script detector: 20 tests
- ✅ Script service: 7 tests
- ✅ Integration tests: 24 tests
### Manual Tests: All Passed ✅
- ✅ List skills with YAML descriptions
- ✅ Get comprehensive skill details with SKILL.md content
- ✅ Read/create/update/delete files
- ✅ Read/update environment variables
- ✅ Execute scripts with auto-dependencies
- ✅ Weather-fetcher example runs successfully
## Verification Checklist
- ✅ Server imports successfully
- ✅ All 9 tools registered and callable
- ✅ 78/78 unit tests passing (82% coverage)
- ✅ All manual tests passing
- ✅ .cursor/mcp.json configured
- ✅ Package deployed and active
- ✅ Scripts execute successfully
- ✅ File operations working
- ✅ Environment variables working
- ✅ Backward compatible with existing skills
## Best Practices
### Skill Development
- Follow the standard skill structure (SKILL.md, scripts/, references/, assets/)
- Keep SKILL.md concise and focused
- Use progressive disclosure (split large docs into references)
- Test scripts immediately after creation
### Environment Variables
- Use descriptive names (API_KEY, DATABASE_URL)
- Never log or print sensitive values
- Set permissions on secrets file: `chmod 600 ~/.skill-mcp/skills/skillname/.env`
### Script Development
- Use meaningful exit codes (0 = success)
- Print helpful messages to stdout
- Print errors to stderr
- Include error handling
- **For Python scripts with dependencies:** Use inline metadata (PEP 723)
```python
# /// script
# dependencies = [
# "package-name>=version",
# ]
# ///
```
- Scripts without metadata use the system Python interpreter
- Scripts with metadata automatically get isolated environments via uv
### 🔐 Managing Sensitive Secrets Safely
To prevent LLMs from accessing your sensitive credentials:
**✅ RECOMMENDED: Update .env files directly on the file system**
```bash
# Edit the skill's .env file directly (LLM cannot access your local files)
nano ~/.skill-mcp/skills/my-skill/.env
# Add your secrets manually
API_KEY=your-actual-api-key-here
DATABASE_PASSWORD=your-password-here
OAUTH_TOKEN=your-token-here
# Secure the file
chmod 600 ~/.skill-mcp/skills/my-skill/.env
```
**Why this is important:**
- ✅ LLMs never see your sensitive values
- ✅ Secrets stay on your system only
- ✅ No risk of credentials appearing in logs or outputs
- ✅ Full control over sensitive data
- ✅ Can be used with `git-secret` or similar tools for versioning
**Workflow:**
1. Claude creates the skill structure and scripts
2. You manually add sensitive values to `.env` files
3. Claude can read the `.env` keys (without seeing values) and use them
4. Scripts access secrets via environment variables at runtime
**Example:**
```bash
# Step 1: Claude creates skill "api-client" via MCP
# You say: "Create a new skill called 'api-client'"
# Step 2: You manually secure the secrets
$ nano ~/.skill-mcp/skills/api-client/.env
API_KEY=sk-abc123def456xyz789
ENDPOINT=https://api.example.com
$ chmod 600 ~/.skill-mcp/skills/api-client/.env
# Step 3: Claude can now use the skill securely
# You say: "Run the API client script"
# Claude reads env var names only, uses them in scripts
# Your actual API key is never exposed to Claude
```
**❌ NEVER DO:**
- ❌ Tell Claude your actual API keys or passwords
- ❌ Ask Claude to set environment variables with sensitive values
- ❌ Store secrets in SKILL.md or other tracked files
- ❌ Use `update_skill_env` tool with real secrets (only for non-sensitive config)
**✅ DO:**
- ✅ Update `.env` files manually on your system
- ✅ Keep `.env` files in `.gitignore`
- ✅ Use `chmod 600` to restrict file access
- ✅ Tell Claude only the variable names (e.g., "the API key is in API_KEY")
- ✅ Keep secrets completely separate from LLM interactions
## ⚠️ Important: Verify LLM-Generated Code
When Claude or other LLMs create or modify skills and scripts using this MCP system, **always verify the generated code before running it in production**:
### Security Considerations
- ⚠️ **Always review generated code** - LLMs can make mistakes or generate suboptimal code
- ⚠️ **Check for security issues** - Look for hardcoded credentials, unsafe operations, or vulnerabilities
- ⚠️ **Test thoroughly** - Run scripts in isolated environments first
- ⚠️ **Validate permissions** - Ensure scripts have appropriate file and system permissions
- ⚠️ **Monitor dependencies** - Review any external packages installed via PEP 723
### Best Practices for LLM-Generated Skills
1. **Review before execution** - Always read through generated scripts
2. **Test in isolation** - Run in a safe environment before production use
3. **Use version control** - Track all changes with git for audit trails
4. **Implement error handling** - Add robust error handling and logging
5. **Set resource limits** - Use timeouts and resource constraints
6. **Run with minimal permissions** - Don't run skills as root or with elevated privileges
7. **Validate inputs** - Sanitize any user-provided data
8. **Audit logs** - Review what scripts actually do and track their execution
### Common Things to Check
- ❌ Hardcoded API keys, passwords, or tokens
- ❌ Unsafe file operations or path traversal risks
- ❌ Unvalidated external commands or shell injection risks
- ❌ Missing error handling or edge cases
- ❌ Resource-intensive operations without limits
- ❌ Unsafe deserialization (eval, pickle, etc.)
- ❌ Excessive permissions requested
- ❌ Untrustworthy external dependencies
### When in Doubt
- Ask Claude/LLM to explain the code
- Have another person review critical code
- Use linters and security scanning tools
- Run in containers or VMs for isolation
- Start with read-only operations before destructive ones
**Remember:** LLM-generated code is a starting point. Your verification and review are essential for security and reliability.
## License
MIT License
Copyright (c) 2025
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
## Contributing
This is a custom tool for personal use. Feel free to fork and adapt for your needs.
## Support
For setup issues or questions, refer to:
- Claude's MCP documentation at https://modelcontextprotocol.io
- The MCP Python SDK docs at https://github.com/modelcontextprotocol/python-sdk
Raw data
{
"_id": null,
"home_page": null,
"name": "skill-mcp",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": "ai, claude, llm, mcp, model-context-protocol, skills",
"author": "fkesheh",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/c3/ed/284a9f27b5b0a8b2e3cb3b579c90050a7d097a327e0eac14a9a7949a73af/skill_mcp-0.1.1.tar.gz",
"platform": null,
"description": "# Skill Management MCP Server\n\nA Model Context Protocol (MCP) server that enables Claude to manage skills stored in `~/.skill-mcp/skills`. This system allows Claude to create, edit, run, and manage skills programmatically, including execution of skill scripts with environment variables.\n\n## Quick Status\n\n**Status:** \u2705 Production Ready \n**Test Coverage:** 82% (78/78 tests passing) \n**Deployed:** October 18, 2025 \n**Architecture:** 19-module modular Python package\n\n## Overview\n\nThis project consists of two main components:\n\n1. **MCP Server** (`src/skill_mcp/server.py`) - A refactored Python package providing 9 tools for skill management\n2. **Skills Directory** (`~/.skill-mcp/skills/`) - Where you store and manage your skills\n\n## Key Advantages\n\n### \ud83d\udd13 Not Locked to Claude UI\n\nUnlike the Claude interface, this system uses the **Model Context Protocol (MCP)**, which is:\n\n- \u2705 **Universal** - Works with Claude Desktop, claude.ai, Cursor, and any MCP-compatible client\n- \u2705 **Not tied to Claude** - Same skills work everywhere MCP is supported\n- \u2705 **Future-proof** - Not dependent on Claude's ecosystem or policy changes\n- \u2705 **Local-first** - Full control over your skills and data\n\n### \ud83c\udfaf Use Skills Everywhere\n\nYour skills can run in:\n- **Cursor** - IDE integration with MCP support\n- **Claude Desktop** - Native app with MCP access\n- **claude.ai** - Web interface with MCP support\n- **Any MCP client** - Growing ecosystem of compatible applications\n\n### \ud83d\udce6 Independent & Modular\n\n- \u2705 Each skill is self-contained with its own files, scripts, and environment\n- \u2705 No dependency on proprietary Claude features\n- \u2705 Can be versioned, shared, and reused across projects\n- \u2705 Standard MCP protocol ensures compatibility\n\n### \ud83e\udd16 LLM-Managed Skills (No Manual Copy-Paste)\n\nInstead of manually copying, zipping, and uploading files:\n\n```\n\u274c OLD WAY: Manual process\n 1. Create skill files locally\n 2. Zip the skill folder\n 3. Upload to Claude interface\n 4. Wait for processing\n 5. Can't easily modify or version\n\n\u2705 NEW WAY: LLM-managed programmatically\n 1. Tell Claude: \"Create a new skill called 'data-processor'\"\n 2. Claude creates the skill directory and SKILL.md\n 3. Tell Claude: \"Add a Python script to process CSVs\"\n 4. Claude creates and tests the script\n 5. Tell Claude: \"Set the API key for this skill\"\n 6. Claude updates the .env file\n 7. Tell Claude: \"Run the script with this data\"\n 8. Claude executes it and shows results - all instantly!\n```\n\n**Key Benefits:**\n- \u2705 **No manual file operations** - LLM handles creation, editing, deletion\n- \u2705 **Instant changes** - No upload/download/reload cycles\n- \u2705 **Full version control** - Skills are regular files, can use git\n- \u2705 **Easy modification** - LLM can edit scripts on the fly\n- \u2705 **Testable** - LLM can create and run scripts immediately\n- \u2705 **Collaborative** - Teams can develop skills together via MCP\n\n## Features\n\n### Skill Management\n- \u2705 List all available skills\n- \u2705 Browse skill files and directory structure\n- \u2705 Read skill files (SKILL.md, scripts, references, assets)\n- \u2705 Create new skill files and directories\n- \u2705 Update existing skill files\n- \u2705 Delete skill files\n\n### Script Execution\n- \u2705 Run Python, Bash, and other executable scripts\n- \u2705 **Automatic dependency management** for Python scripts using uv inline metadata (PEP 723)\n- \u2705 Automatic environment variable injection from secrets\n- \u2705 Command-line argument support\n- \u2705 Custom working directory support\n- \u2705 Capture stdout and stderr\n- \u2705 30-second timeout for safety\n\n### Environment Variables\n- \u2705 List environment variable keys (secure - no values shown)\n- \u2705 Set or update environment variables\n- \u2705 Persistent storage in `~/.skill-mcp/secrets`\n- \u2705 Automatic injection into script execution\n\n## Directory Structure\n\n```\n~/.skill-mcp/\n\u251c\u2500\u2500 skill_mcp_server.py # The MCP server (you install this)\n\u251c\u2500\u2500 secrets # Environment variables (JSON format)\n\u2514\u2500\u2500 skills/ # Your skills directory\n \u251c\u2500\u2500 example-skill/\n \u2502 \u251c\u2500\u2500 SKILL.md # Required: skill definition\n \u2502 \u251c\u2500\u2500 scripts/ # Optional: executable scripts\n \u2502 \u251c\u2500\u2500 references/ # Optional: documentation\n \u2502 \u2514\u2500\u2500 assets/ # Optional: templates, files\n \u2514\u2500\u2500 another-skill/\n \u2514\u2500\u2500 SKILL.md\n```\n\n## Quick Start\n\n### 1. Install uv\n\nThis project uses [uv](https://github.com/astral-sh/uv) for fast, reliable Python package management.\n\n```bash\n# Install uv\ncurl -LsSf https://astral.sh/uv/install.sh | sh\n```\n\n### 2. Install the MCP Server\n\n```bash\n# Create directory\nmkdir -p ~/.skill-mcp\n\n# Copy all project files\ncp -r src tests pyproject.toml ~/.skill-mcp/\n\n# Install dependencies (uv auto-creates .venv)\ncd ~/.skill-mcp\nuv sync\n```\n\n### 3. Configure Claude\n\nAdd the MCP server to your Claude configuration:\n\n**Claude Desktop** - Edit the config file:\n- macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`\n- Windows: `%APPDATA%\\Claude\\claude_desktop_config.json`\n- Linux: `~/.config/Claude/claude_desktop_config.json`\n\n```json\n{\n \"mcpServers\": {\n \"skill-mcp\": {\n \"command\": \"uv\",\n \"args\": [\n \"run\",\n \"--directory\",\n \"/Users/yourname/.skill-mcp\",\n \"-m\",\n \"skill_mcp.server\"\n ]\n }\n }\n}\n```\n\n**Important:** Replace `/Users/yourname/.skill-mcp` with your actual absolute path!\n\n**claude.ai** - Use the web interface:\n1. Go to Settings > Developer > MCP Servers\n2. Add new MCP server with the same configuration\n\n### 4. Restart Claude\n\nRestart Claude Desktop or refresh claude.ai to load the new MCP server.\n\n### 5. Test It\n\nIn a new conversation:\n```\nList all available skills\n```\n\nClaude should use the skill-mcp tools to show skills in `~/.skill-mcp/skills/`.\n\n## Common uv Commands\n\nFor development in this repository:\n```bash\nuv sync # Install/update dependencies\nuv run python script.py # Run Python with project environment\nuv add package-name # Add a new dependency\nuv pip list # Show installed packages\nuv run pytest tests/ -v # Run tests\n```\n\n**Note:** uv automatically creates and manages `.venv/` - no need to manually create virtual environments!\n\n## Script Dependencies (PEP 723)\n\nPython scripts can declare their own dependencies using uv's inline metadata. The server automatically detects this and uses `uv run` to handle dependencies:\n\n```python\n#!/usr/bin/env python3\n# /// script\n# dependencies = [\n# \"requests>=2.31.0\",\n# \"pandas>=2.0.0\",\n# ]\n# ///\n\nimport requests\nimport pandas as pd\n\n# Your script code here - dependencies are automatically installed!\nresponse = requests.get(\"https://api.example.com/data\")\ndf = pd.DataFrame(response.json())\nprint(df.head())\n```\n\n**Benefits:**\n- \u2705 No manual dependency installation needed\n- \u2705 Each script has isolated dependencies\n- \u2705 Works automatically when run via `run_skill_script`\n- \u2705 Version pinning ensures reproducibility\n\n**How it works:**\n1. You add inline metadata to your Python script\n2. When the script runs via `run_skill_script`, the server detects the metadata\n3. uv automatically creates an isolated environment and installs dependencies\n4. The script runs with access to those dependencies\n5. No manual `pip install` or virtual environment management needed!\n\n**Example:** See `example-skill/scripts/fetch_data.py` for a working example.\n\n**Testing locally:**\n```bash\n# Scripts with dependencies just work!\nuv run example-skill/scripts/fetch_data.py\n```\n\n## Usage Examples\n\n### Creating a New Skill\n\n```\nUser: \"Create a new skill called 'pdf-processor' that can rotate and merge PDFs\"\n\nClaude will:\n1. Create the skill directory and SKILL.md\n2. Add any necessary scripts\n3. Test the scripts\n4. Guide you through setting up any needed dependencies\n```\n\n### Managing Environment Variables\n\n```\nUser: \"I need to set up a GitHub API token for my GitHub skills\"\n\nClaude will:\n1. Ask for your token value\n2. Store it securely using set_env\n3. Confirm it's available for scripts to use\n```\n\n### Running Skill Scripts\n\n```\nUser: \"Run the data processing script from my analytics skill\"\n\nClaude will:\n1. List available skills and scripts\n2. Execute the script with environment variables\n3. Show you the output and any errors\n```\n\n### Modifying Existing Skills\n\n```\nUser: \"Add a new reference document about our API schema to the company-knowledge skill\"\n\nClaude will:\n1. Read the existing skill structure\n2. Create the new reference file\n3. Update SKILL.md if needed to reference it\n```\n\n## Available MCP Tools\n\nThe server provides these tools to Claude:\n\n| Tool | Purpose |\n|------|---------|\n| `list_skills` | List all skills in ~/.skill-mcp/skills |\n| `get_skill_files` | List files in a specific skill |\n| `read_skill_file` | Read content of a skill file |\n| `create_skill_file` | Create a new file in a skill |\n| `update_skill_file` | Update an existing skill file |\n| `delete_skill_file` | Delete a skill file |\n| `run_skill_script` | Execute a script with environment variables |\n| `list_env_keys` | List environment variable names |\n| `set_env` | Set an environment variable |\n\n## Security Features\n\n### Path Validation\n- All file paths are validated to prevent directory traversal attacks\n- Paths with \"..\" or starting with \"/\" are rejected\n- All operations are confined to the skill directory\n\n### Environment Variables\n- Variable values are never exposed when listing\n- Stored in a separate secrets file\n- File permissions should be restricted (chmod 600)\n\n### Script Execution\n- 30-second timeout prevents infinite loops\n- Scripts run with user's permissions (not elevated)\n- Output size limits prevent memory issues\n- Capture both stdout and stderr for debugging\n\n## Troubleshooting\n\n### \"MCP server not found\"\n- Check that `uv` is in your PATH: `which uv` (or `where uv` on Windows)\n- Verify the path to `.skill-mcp` directory is correct and absolute\n- Test dependencies: `cd ~/.skill-mcp && uv run python -c \"import mcp; print('OK')\"`\n- Ensure `pyproject.toml` exists in `~/.skill-mcp/`\n\n### \"Permission denied\" errors\n```bash\nchmod +x ~/.skill-mcp/skill_mcp_server.py\nchmod 755 ~/.skill-mcp\nchmod 755 ~/.skill-mcp/skills\nchmod 600 ~/.skill-mcp/secrets\n```\n\n### Scripts failing to execute\n- Check script has execute permissions\n- Verify interpreter (python3, bash) is in PATH\n- Use `list_env_keys` to check required variables are set\n- Check stderr output from `run_skill_script`\n\n### Environment variables not working\n- Verify they're set: use `list_env_keys`\n- Check the secrets file exists: `cat ~/.skill-mcp/secrets`\n- Ensure your script is reading from `os.environ`\n\n## Advanced: Tool Descriptions for LLMs\n\nAll MCP tools have been enhanced with detailed descriptions to prevent confusion:\n\n### Skill Tools\n- **list_skills** - Lists all skills with descriptions, paths, and validation status\n- **get_skill_details** - Complete skill information: SKILL.md content, all files, scripts, environment variables\n\n### File Tools\n- **read_skill_file** - Read any file in a skill directory\n- **create_skill_file** - Create new files (auto-creates parent directories)\n- **update_skill_file** - Update existing files (replaces entire content)\n- **delete_skill_file** - Delete files permanently (path-traversal protected)\n\n### Script Tools\n- **run_skill_script** - Execute scripts with automatic PEP 723 dependency detection\n- **read_skill_env** - List environment variables (keys only, values hidden for security)\n- **update_skill_env** - Create/update skill's .env file\n\n## Advanced Configuration\n\n### Custom Directories\n\nEdit `skill_mcp_server.py` to change default locations:\n\n```python\n# Change skills directory\nSKILLS_DIR = Path(\"/custom/path/to/skills\")\n\n# Change secrets file location\nSECRETS_FILE = Path(\"/custom/path/to/secrets\")\n```\n\n### Resource Limits\n\nAdjust limits in `skill_mcp_server.py`:\n\n```python\nMAX_FILE_SIZE = 1_000_000 # File read limit (1MB)\nMAX_OUTPUT_SIZE = 100_000 # Script output limit (100KB)\n```\n\nScript timeout in the `run_skill_script` function:\n\n```python\nresult = subprocess.run(cmd, timeout=30) # 30 seconds\n```\n\n## Architecture & Implementation\n\n### Package Structure\n\n```\nsrc/skill_mcp/\n\u251c\u2500\u2500 server.py # MCP server entry point\n\u251c\u2500\u2500 models.py # Pydantic input/output models\n\u251c\u2500\u2500 core/\n\u2502 \u251c\u2500\u2500 config.py # Configuration constants\n\u2502 \u2514\u2500\u2500 exceptions.py # Custom exception types\n\u251c\u2500\u2500 services/\n\u2502 \u251c\u2500\u2500 env_service.py # .env file management\n\u2502 \u251c\u2500\u2500 file_service.py # File operations\n\u2502 \u251c\u2500\u2500 skill_service.py # Skill discovery & metadata\n\u2502 \u2514\u2500\u2500 script_service.py # Script execution\n\u251c\u2500\u2500 utils/\n\u2502 \u251c\u2500\u2500 path_utils.py # Secure path validation\n\u2502 \u251c\u2500\u2500 yaml_parser.py # YAML frontmatter parsing\n\u2502 \u2514\u2500\u2500 script_detector.py # Script capability detection\n\u2514\u2500\u2500 tools/\n \u251c\u2500\u2500 skill_tools.py # Skill management tools\n \u251c\u2500\u2500 file_tools.py # File operation tools\n \u2514\u2500\u2500 script_tools.py # Script execution tools\n\ntests/\n\u251c\u2500\u2500 conftest.py # Pytest fixtures\n\u2514\u2500\u2500 9 test modules # 78 tests (82% coverage passing)\n```\n\n### What's New\n\n**Enhanced Features:**\n- \u2705 Skill descriptions extracted from YAML frontmatter\n- \u2705 Comprehensive skill details (files, scripts, metadata)\n- \u2705 File type detection (Python, Markdown, etc.)\n- \u2705 Executable identification with metadata\n- \u2705 **PEP 723 uv dependency detection** - scripts declare own dependencies\n- \u2705 Per-skill environment variables (.env files)\n- \u2705 Automatic dependency management for scripts\n\n**Breaking Changes:**\n- Removed global `~/.skill-mcp/secrets` (now per-skill .env files)\n- Removed `list_env_keys` and `set_env` global tools\n- Replaced `get_skill_files` with more comprehensive `get_skill_details`\n\n## Test Results\n\n### Unit Tests: 78/78 Passing \u2705\n\n**Coverage: 82% (522/641 statements covered)**\n\nComprehensive test coverage across all modules:\n\n| Module | Coverage | Tests |\n|--------|----------|-------|\n| Core Config | 100% | All paths |\n| Models | 100% | Input/Output validation |\n| Exception Handling | 100% | All exception types |\n| YAML Parser | 90% | Frontmatter parsing |\n| Skill Service | 90% | Skill discovery & metadata |\n| File Service | 89% | File operations |\n| Environment Service | 83% | .env management |\n| Skill Tools | 85% | Skill management tools |\n| File Tools | 79% | File operation tools |\n| Script Detector | 87% | Script capability detection |\n| Path Utils | 86% | Path validation & security |\n| Server | 67% | MCP tool registration |\n| Script Service | 53% | Script execution |\n| Script Tools | 61% | Script execution tools |\n\n**Test Breakdown:**\n- \u2705 Path utilities: 4 tests\n- \u2705 YAML parsing: 7 tests\n- \u2705 Environment service: 7 tests\n- \u2705 File service: 4 tests\n- \u2705 Skill service: 5 tests\n- \u2705 Script detector: 20 tests\n- \u2705 Script service: 7 tests\n- \u2705 Integration tests: 24 tests\n\n### Manual Tests: All Passed \u2705\n- \u2705 List skills with YAML descriptions\n- \u2705 Get comprehensive skill details with SKILL.md content\n- \u2705 Read/create/update/delete files\n- \u2705 Read/update environment variables\n- \u2705 Execute scripts with auto-dependencies\n- \u2705 Weather-fetcher example runs successfully\n\n## Verification Checklist\n\n- \u2705 Server imports successfully\n- \u2705 All 9 tools registered and callable\n- \u2705 78/78 unit tests passing (82% coverage)\n- \u2705 All manual tests passing\n- \u2705 .cursor/mcp.json configured\n- \u2705 Package deployed and active\n- \u2705 Scripts execute successfully\n- \u2705 File operations working\n- \u2705 Environment variables working\n- \u2705 Backward compatible with existing skills\n\n## Best Practices\n\n### Skill Development\n- Follow the standard skill structure (SKILL.md, scripts/, references/, assets/)\n- Keep SKILL.md concise and focused\n- Use progressive disclosure (split large docs into references)\n- Test scripts immediately after creation\n\n### Environment Variables\n- Use descriptive names (API_KEY, DATABASE_URL)\n- Never log or print sensitive values\n- Set permissions on secrets file: `chmod 600 ~/.skill-mcp/skills/skillname/.env`\n\n### Script Development\n- Use meaningful exit codes (0 = success)\n- Print helpful messages to stdout\n- Print errors to stderr\n- Include error handling\n- **For Python scripts with dependencies:** Use inline metadata (PEP 723)\n ```python\n # /// script\n # dependencies = [\n # \"package-name>=version\",\n # ]\n # ///\n ```\n- Scripts without metadata use the system Python interpreter\n- Scripts with metadata automatically get isolated environments via uv\n\n### \ud83d\udd10 Managing Sensitive Secrets Safely\n\nTo prevent LLMs from accessing your sensitive credentials:\n\n**\u2705 RECOMMENDED: Update .env files directly on the file system**\n\n```bash\n# Edit the skill's .env file directly (LLM cannot access your local files)\nnano ~/.skill-mcp/skills/my-skill/.env\n\n# Add your secrets manually\nAPI_KEY=your-actual-api-key-here\nDATABASE_PASSWORD=your-password-here\nOAUTH_TOKEN=your-token-here\n\n# Secure the file\nchmod 600 ~/.skill-mcp/skills/my-skill/.env\n```\n\n**Why this is important:**\n- \u2705 LLMs never see your sensitive values\n- \u2705 Secrets stay on your system only\n- \u2705 No risk of credentials appearing in logs or outputs\n- \u2705 Full control over sensitive data\n- \u2705 Can be used with `git-secret` or similar tools for versioning\n\n**Workflow:**\n1. Claude creates the skill structure and scripts\n2. You manually add sensitive values to `.env` files\n3. Claude can read the `.env` keys (without seeing values) and use them\n4. Scripts access secrets via environment variables at runtime\n\n**Example:**\n```bash\n# Step 1: Claude creates skill \"api-client\" via MCP\n# You say: \"Create a new skill called 'api-client'\"\n\n# Step 2: You manually secure the secrets\n$ nano ~/.skill-mcp/skills/api-client/.env\nAPI_KEY=sk-abc123def456xyz789\nENDPOINT=https://api.example.com\n\n$ chmod 600 ~/.skill-mcp/skills/api-client/.env\n\n# Step 3: Claude can now use the skill securely\n# You say: \"Run the API client script\"\n# Claude reads env var names only, uses them in scripts\n# Your actual API key is never exposed to Claude\n```\n\n**\u274c NEVER DO:**\n- \u274c Tell Claude your actual API keys or passwords\n- \u274c Ask Claude to set environment variables with sensitive values\n- \u274c Store secrets in SKILL.md or other tracked files\n- \u274c Use `update_skill_env` tool with real secrets (only for non-sensitive config)\n\n**\u2705 DO:**\n- \u2705 Update `.env` files manually on your system\n- \u2705 Keep `.env` files in `.gitignore`\n- \u2705 Use `chmod 600` to restrict file access\n- \u2705 Tell Claude only the variable names (e.g., \"the API key is in API_KEY\")\n- \u2705 Keep secrets completely separate from LLM interactions\n\n## \u26a0\ufe0f Important: Verify LLM-Generated Code\n\nWhen Claude or other LLMs create or modify skills and scripts using this MCP system, **always verify the generated code before running it in production**:\n\n### Security Considerations\n- \u26a0\ufe0f **Always review generated code** - LLMs can make mistakes or generate suboptimal code\n- \u26a0\ufe0f **Check for security issues** - Look for hardcoded credentials, unsafe operations, or vulnerabilities\n- \u26a0\ufe0f **Test thoroughly** - Run scripts in isolated environments first\n- \u26a0\ufe0f **Validate permissions** - Ensure scripts have appropriate file and system permissions\n- \u26a0\ufe0f **Monitor dependencies** - Review any external packages installed via PEP 723\n\n### Best Practices for LLM-Generated Skills\n1. **Review before execution** - Always read through generated scripts\n2. **Test in isolation** - Run in a safe environment before production use\n3. **Use version control** - Track all changes with git for audit trails\n4. **Implement error handling** - Add robust error handling and logging\n5. **Set resource limits** - Use timeouts and resource constraints\n6. **Run with minimal permissions** - Don't run skills as root or with elevated privileges\n7. **Validate inputs** - Sanitize any user-provided data\n8. **Audit logs** - Review what scripts actually do and track their execution\n\n### Common Things to Check\n- \u274c Hardcoded API keys, passwords, or tokens\n- \u274c Unsafe file operations or path traversal risks\n- \u274c Unvalidated external commands or shell injection risks\n- \u274c Missing error handling or edge cases\n- \u274c Resource-intensive operations without limits\n- \u274c Unsafe deserialization (eval, pickle, etc.)\n- \u274c Excessive permissions requested\n- \u274c Untrustworthy external dependencies\n\n### When in Doubt\n- Ask Claude/LLM to explain the code\n- Have another person review critical code\n- Use linters and security scanning tools\n- Run in containers or VMs for isolation\n- Start with read-only operations before destructive ones\n\n**Remember:** LLM-generated code is a starting point. Your verification and review are essential for security and reliability.\n\n## License\n\nMIT License\n\nCopyright (c) 2025\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n\n## Contributing\n\nThis is a custom tool for personal use. Feel free to fork and adapt for your needs.\n\n## Support\n\nFor setup issues or questions, refer to:\n- Claude's MCP documentation at https://modelcontextprotocol.io\n- The MCP Python SDK docs at https://github.com/modelcontextprotocol/python-sdk\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "A Model Context Protocol (MCP) server for managing Claude skills",
"version": "0.1.1",
"project_urls": {
"Documentation": "https://github.com/fkesheh/skill-mcp#readme",
"Homepage": "https://github.com/fkesheh/skill-mcp",
"Issues": "https://github.com/fkesheh/skill-mcp/issues",
"Repository": "https://github.com/fkesheh/skill-mcp"
},
"split_keywords": [
"ai",
" claude",
" llm",
" mcp",
" model-context-protocol",
" skills"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "8b5393a523e1ae2153adb33ed834ddf0870d84f049532d141a7c87814a32b38a",
"md5": "992d74846e13f4cb5b60490952d7c732",
"sha256": "c4e32e4eebf6a8be1ce965bd2336c01780d9ecaa1d3ff9b1bbfe4e7b22d234a3"
},
"downloads": -1,
"filename": "skill_mcp-0.1.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "992d74846e13f4cb5b60490952d7c732",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 29936,
"upload_time": "2025-10-18T12:40:46",
"upload_time_iso_8601": "2025-10-18T12:40:46.883242Z",
"url": "https://files.pythonhosted.org/packages/8b/53/93a523e1ae2153adb33ed834ddf0870d84f049532d141a7c87814a32b38a/skill_mcp-0.1.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "c3ed284a9f27b5b0a8b2e3cb3b579c90050a7d097a327e0eac14a9a7949a73af",
"md5": "1dc3911e8c58f65c38c36a438e6a8d51",
"sha256": "648fd96c894536e9e050fb4f79a67d23431f14618b37f3dd6968813d3f661338"
},
"downloads": -1,
"filename": "skill_mcp-0.1.1.tar.gz",
"has_sig": false,
"md5_digest": "1dc3911e8c58f65c38c36a438e6a8d51",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 83278,
"upload_time": "2025-10-18T12:40:49",
"upload_time_iso_8601": "2025-10-18T12:40:49.197661Z",
"url": "https://files.pythonhosted.org/packages/c3/ed/284a9f27b5b0a8b2e3cb3b579c90050a7d097a327e0eac14a9a7949a73af/skill_mcp-0.1.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-10-18 12:40:49",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "fkesheh",
"github_project": "skill-mcp#readme",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "skill-mcp"
}
JSON
