mcp-tool-developer — quality + safety report

---
name: mcp-tool-developer
description: "Build Model Context Protocol (MCP) servers and tools from scratch. Full-stack MCP development with TypeScript/Python, testing, deployment, and registry publishing."
category: developer-tools
risk: safe
source: community
source_repo: demo112/yunqu-ai-skills
source_type: community
date_added: "2026-05-13"
author: yundu-ai
tags: [mcp, ai-agent, tool-development, typescript, python, llm, model-context-protocol]
tools: [claude, cursor, gemini]
---

# MCP Tool Developer

## Overview

Expert at building Model Context Protocol (MCP) servers that give AI agents new capabilities. Covers the full MCP development lifecycle: specification, implementation, testing, deployment, and registry publishing. Supports both TypeScript and Python with production-ready patterns.

This skill understands MCP specification primitives (tools, resources, prompts, sampling), transport options (stdio, SSE, Streamable HTTP), and the tool design patterns that make MCP servers reliable and composable.

## When to Use This Skill

- Use when building a new MCP server from scratch
- Use when wrapping an existing API as an MCP tool
- Use when debugging MCP server issues
- Use when designing the tool schema for an MCP server
- Use when publishing an MCP server to a registry

## How It Works

### Step 1: Define the MCP Server Scope

Identify what capabilities the server should expose:
- **Tools** - Functions the LLM can call (primary use case)
- **Resources** - Data the LLM can read (files, APIs, databases)
- **Prompts** - Reusable prompt templates

Choose the transport:
- **stdio** - For local CLI tools (Claude Code, Cursor)
- **SSE (Server-Sent Events)** - For remote/hosted tools
- **Streamable HTTP** - New in MCP spec for modern deployments

### Step 2: Design the Tool Schema

Define input/output schemas before writing implementation:

```typescript
{
  name: "tool_name",
  description: "What this tool does (visible to the LLM)",
  inputSchema: {
    type: "object",
    properties: { ... },
    required: [ ... ]
  }
}
```

### Step 3: Implement the Server

Create the server with proper error handling, validation, and logging. Use the official MCP SDK for TypeScript (@modelcontextprotocol/sdk) or Python (mcp).

### Step 4: Test and Deploy

Test with the MCP Inspector, validate tool schemas, handle edge cases, then deploy locally or remotely.

## Examples

### Example 1: TypeScript MCP Server

```typescript
import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
import { z } from "zod";

const server = new McpServer({ name: "my-tools", version: "1.0.0" });

server.tool("greet", "Greet someone by name",
  { name: z.string().describe("Person's name") },
  async ({ name }) => ({ content: [{ type: "text", text: `Hello, ${name}!` }] })
);

const transport = new StdioServerTransport();
await server.connect(transport);
```

### Example 2: API Wrapper Pattern

Wrap an external API as an MCP tool with auth, rate limiting, and error handling:
- Map API endpoints to tools
- Handle auth via environment variables
- Transform API responses to LLM-friendly format
- Add retry logic with exponential backoff

## Best Practices

- Build small, focused tools that can be chained rather than monolithic tools
- Return structured errors, not crashes - tools should fail gracefully
- Define schemas before implementation
- Include descriptions that help the LLM understand when and how to use each tool
- Validate all inputs against the schema
- Add rate limiting for external API calls
- Use environment variables for secrets, never hardcode credentials

## Limitations

- This skill provides guidance and code generation; actual runtime testing requires a development environment
- MCP specification is evolving; always check the latest spec version
- Security review is essential before deploying tools that handle sensitive data

## Security and Safety Notes

- Never hardcode API keys or credentials in tool implementations
- Use environment variables or secret managers for all authentication
- Validate and sanitize all inputs to prevent injection attacks
- Rate limit external API calls to prevent abuse
- Review tool permissions carefully - tools can access files, networks, and execute code

## Common Pitfalls

- **Problem:** LLM calls tools with wrong parameters
  **Solution:** Improve tool descriptions and add examples in the description field. The LLM reads descriptions to decide how to call tools.

- **Problem:** Tool times out on large inputs
  **Solution:** Add input size validation and pagination. Stream large responses instead of buffering.

## Related Skills

- `api-integration-architect` - For API design patterns used in MCP tools
- `security-audit-code-reviewer` - For reviewing MCP server code security