Agent Skills Search Server
Search and discover Agent Skills from the skills.sh registry. Powered by HAPI MCP server.
Installation
Claude Desktop config (remote)
{
"mcpServers": {
"ai-com-mcp-skills-search": {
"type": "streamable-http",
"url": "https://skills-sh.run.mcp.com.ai/mcp"
}
}
}Cursor config
{
"mcpServers": {
"ai-com-mcp-skills-search": {
"url": "https://skills-sh.run.mcp.com.ai/mcp"
}
}
}Security Report
Score Breakdown
Findings (5)
Remote HTTP Endpoint Without Visible Authentication
Server uses streamable-http transport with a remote URL (https://skills-sh.run.mcp.com.ai/mcp), meaning it accepts connections from the internet. No authentication mechanism is documented in the provided metadata.
Unclear Scope and Capabilities
The description states it 'searches and discovers Agent Skills' but doesn't clearly define what 'Agent Skills' are, what data is returned, or what the actual capabilities/tools are. The phrase 'Powered by HAPI MCP server' is vague marketing language.
Broad Registry Access Without Defined Constraints
A 'registry search' server could potentially expose or access a large number of skills/tools from an external registry. Without tool definitions, it's unclear if there are rate limits, access controls, or data filtering.
No Tool Definitions Available
Tool definitions were not fetched from the server, making it impossible to assess prompt injection risks, input validation, or hidden instructions in tool descriptions.
Semantic Analysis Summary
This server presents moderate security concerns due to its remote HTTP endpoint without documented authentication and vague description of capabilities. The lack of available tool definitions prevents full assessment of input validation and prompt injection risks. While it has a repository and website (positive trust signals), the broad registry access pattern and unclear scope warrant caution.
Last scanned 1mo ago
Details
- Version
- 1.0.0
- Transport
- streamable-http
- Capabilities
- Repository
- agentskills/agentskills
- Website
- run.mcp.com.ai