Skip to main content
Glama

Skill Management MCP Server

by fkesheh

Skill Management MCP Server

A Model Context Protocol (MCP) server that enables Claude to manage skills stored in ~/.skill-mcp/skills. This system allows Claude to create, edit, run, and manage skills programmatically, including execution of skill scripts with environment variables.

Quick Status

Status: āœ… Production Ready
Test Coverage: 82% (78/78 tests passing)
Deployed: October 18, 2025
Architecture: 19-module modular Python package

Overview

This project consists of two main components:

  1. MCP Server (src/skill_mcp/server.py) - A refactored Python package providing 9 tools for skill management

  2. Skills Directory (~/.skill-mcp/skills/) - Where you store and manage your skills

Key Advantages

šŸ”“ Not Locked to Claude UI

Unlike the Claude interface, this system uses the Model Context Protocol (MCP), which is:

  • āœ… Universal - Works with Claude Desktop, claude.ai, Cursor, and any MCP-compatible client

  • āœ… Not tied to Claude - Same skills work everywhere MCP is supported

  • āœ… Future-proof - Not dependent on Claude's ecosystem or policy changes

  • āœ… Local-first - Full control over your skills and data

šŸŽÆ Use Skills Everywhere

Your skills can run in:

  • Cursor - IDE integration with MCP support

  • Claude Desktop - Native app with MCP access

  • claude.ai - Web interface with MCP support

  • Any MCP client - Growing ecosystem of compatible applications

šŸ“¦ Independent & Modular

  • āœ… Each skill is self-contained with its own files, scripts, and environment

  • āœ… No dependency on proprietary Claude features

  • āœ… Can be versioned, shared, and reused across projects

  • āœ… Standard MCP protocol ensures compatibility

šŸ”„ Share Skills Across All MCP Clients

  • āœ… One skill directory, multiple clients - Create once, use everywhere

  • āœ… Same skills in Cursor and Claude - No duplication needed

  • āœ… Seamless switching - Move between tools without reconfiguring

  • āœ… Consistent experience - Skills work identically across all MCP clients

  • āœ… Centralized management - Update skills in one place, available everywhere

šŸ¤– LLM-Managed Skills (No Manual Copy-Paste)

Instead of manually copying, zipping, and uploading files:

āŒ OLD WAY: Manual process 1. Create skill files locally 2. Zip the skill folder 3. Upload to Claude interface 4. Wait for processing 5. Can't easily modify or version āœ… NEW WAY: LLM-managed programmatically 1. Tell Claude: "Create a new skill called 'data-processor'" 2. Claude creates the skill directory and SKILL.md 3. Tell Claude: "Add a Python script to process CSVs" 4. Claude creates and tests the script 5. Tell Claude: "Set the API key for this skill" 6. Claude updates the .env file 7. Tell Claude: "Run the script with this data" 8. Claude executes it and shows results - all instantly!

Key Benefits:

  • āœ… No manual file operations - LLM handles creation, editing, deletion

  • āœ… Instant changes - No upload/download/reload cycles

  • āœ… Full version control - Skills are regular files, can use git

  • āœ… Easy modification - LLM can edit scripts on the fly

  • āœ… Testable - LLM can create and run scripts immediately

  • āœ… Collaborative - Teams can develop skills together via MCP

Features

Skill Management

  • āœ… List all available skills

  • āœ… Browse skill files and directory structure

  • āœ… Read skill files (SKILL.md, scripts, references, assets)

  • āœ… Create new skill files and directories

  • āœ… Update existing skill files

  • āœ… Delete skill files

Script Execution

  • āœ… Run Python, Bash, and other executable scripts

  • āœ… Automatic dependency management for Python scripts using uv inline metadata (PEP 723)

  • āœ… Automatic environment variable injection from secrets

  • āœ… Command-line argument support

  • āœ… Custom working directory support

  • āœ… Capture stdout and stderr

  • āœ… 30-second timeout for safety

Environment Variables

  • āœ… List environment variable keys (secure - no values shown)

  • āœ… Set or update environment variables per skill

  • āœ… Persistent storage in per-skill .env files

  • āœ… Automatic injection into script execution

Directory Structure

~/.skill-mcp/ ā”œā”€ā”€ skill_mcp_server.py # The MCP server (you install this) └── skills/ # Your skills directory ā”œā”€ā”€ example-skill/ │ ā”œā”€ā”€ SKILL.md # Required: skill definition │ ā”œā”€ā”€ .env # Optional: skill-specific environment variables │ ā”œā”€ā”€ scripts/ # Optional: executable scripts │ ā”œā”€ā”€ references/ # Optional: documentation │ └── assets/ # Optional: templates, files └── another-skill/ ā”œā”€ā”€ SKILL.md └── .env

Quick Start

1. Install uv

This project uses uv for fast, reliable Python package management.

# Install uv (includes uvx) curl -LsSf https://astral.sh/uv/install.sh | sh

2. Configure Your MCP Client

Add the MCP server to your configuration. The server will be automatically downloaded and run via uvx from PyPI.

Claude Desktop - Edit the config file:

  • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

  • Windows: %APPDATA%\Claude\claude_desktop_config.json

  • Linux: ~/.config/Claude/claude_desktop_config.json

Cursor - Edit the config file:

  • macOS: ~/.cursor/mcp.json

  • Windows: %USERPROFILE%\.cursor\mcp.json

  • Linux: ~/.cursor/mcp.json

{ "mcpServers": { "skill-mcp": { "command": "uvx", "args": [ "--from", "skill-mcp", "skill-mcp-server" ] } } }

That's it! No installation needed - uvx will automatically download and run the latest version from PyPI.

3. Restart Your MCP Client

Restart Claude Desktop or Cursor to load the MCP server.

4. Test It

In a new conversation:

List all available skills

Claude should use the skill-mcp tools to show skills in ~/.skill-mcp/skills/.

Common uv Commands

For development in this repository:

uv sync # Install/update dependencies uv run python script.py # Run Python with project environment uv add package-name # Add a new dependency uv pip list # Show installed packages uv run pytest tests/ -v # Run tests

Note: uv automatically creates and manages .venv/ - no need to manually create virtual environments!

Script Dependencies (PEP 723)

Python scripts can declare their own dependencies using uv's inline metadata. The server automatically detects this and uses uv run to handle dependencies:

#!/usr/bin/env python3 # /// script # dependencies = [ # "requests>=2.31.0", # "pandas>=2.0.0", # ] # /// import requests import pandas as pd # Your script code here - dependencies are automatically installed! response = requests.get("https://api.example.com/data") df = pd.DataFrame(response.json()) print(df.head())

Benefits:

  • āœ… No manual dependency installation needed

  • āœ… Each script has isolated dependencies

  • āœ… Works automatically when run via run_skill_script

  • āœ… Version pinning ensures reproducibility

How it works:

  1. You add inline metadata to your Python script

  2. When the script runs via run_skill_script, the server detects the metadata

  3. uv automatically creates an isolated environment and installs dependencies

  4. The script runs with access to those dependencies

  5. No manual pip install or virtual environment management needed!

Example: See example-skill/scripts/fetch_data.py for a working example.

Testing locally:

# Scripts with dependencies just work! uv run example-skill/scripts/fetch_data.py

Usage Examples

Creating a New Skill

User: "Create a new skill called 'pdf-processor' that can rotate and merge PDFs" Claude will: 1. Create the skill directory and SKILL.md 2. Add any necessary scripts 3. Test the scripts 4. Guide you through setting up any needed dependencies

Managing Environment Variables

User: "I need to set up a GitHub API token for my GitHub skills" Claude will: 1. Guide you to add it to the skill's .env file 2. Use `read_skill_env` to list available keys 3. Confirm it's available for scripts to use via `os.environ`

Running Skill Scripts

User: "Run the data processing script from my analytics skill" Claude will: 1. List available skills and scripts 2. Execute the script with environment variables 3. Show you the output and any errors

Modifying Existing Skills

User: "Add a new reference document about our API schema to the company-knowledge skill" Claude will: 1. Read the existing skill structure 2. Create the new reference file 3. Update SKILL.md if needed to reference it

Available MCP Tools

The server provides these tools to Claude:

Tool

Purpose

list_skills

List all skills in ~/.skill-mcp/skills

get_skill_details

Get comprehensive details about a specific skill

read_skill_file

Read content of a skill file

create_skill_file

Create a new file in a skill

update_skill_file

Update an existing skill file

delete_skill_file

Delete a skill file

run_skill_script

Execute a script with environment variables

read_skill_env

List environment variable keys for a skill (values hidden)

update_skill_env

Create/update a skill's .env file

Security Features

Path Validation

  • All file paths are validated to prevent directory traversal attacks

  • Paths with ".." or starting with "/" are rejected

  • All operations are confined to the skill directory

Environment Variables

  • Variable values are never exposed when listing

  • Stored in per-skill .env files

  • File permissions should be restricted (chmod 600 on each .env)

Script Execution

  • 30-second timeout prevents infinite loops

  • Scripts run with user's permissions (not elevated)

  • Output size limits prevent memory issues

  • Capture both stdout and stderr for debugging

Troubleshooting

"MCP server not found"

  • Check that uv is in your PATH: which uv (or where uv on Windows)

  • Verify the path to .skill-mcp directory is correct and absolute

  • Test dependencies: cd ~/.skill-mcp && uv run python -c "import mcp; print('OK')"

  • Ensure pyproject.toml exists in ~/.skill-mcp/

"Permission denied" errors

chmod +x ~/.skill-mcp/skill_mcp_server.py chmod 755 ~/.skill-mcp chmod 755 ~/.skill-mcp/skills find ~/.skill-mcp/skills -name ".env" -exec chmod 600 {} \;

Scripts failing to execute

  • Check script has execute permissions

  • Verify interpreter (python3, bash) is in PATH

  • Use list_env_keys to check required variables are set

  • Check stderr output from run_skill_script

Environment variables not working

  • Verify they're set: use read_skill_env for the skill

  • Check the .env file exists: cat ~/.skill-mcp/skills/<skill-name>/.env

  • Ensure your script is reading from os.environ

Advanced: Tool Descriptions for LLMs

All MCP tools have been enhanced with detailed descriptions to prevent confusion:

Skill Tools

  • list_skills - Lists all skills with descriptions, paths, and validation status

  • get_skill_details - Complete skill information: SKILL.md content, all files, scripts, environment variables

File Tools

  • read_skill_file - Read any file in a skill directory

  • create_skill_file - Create new files (auto-creates parent directories)

  • update_skill_file - Update existing files (replaces entire content)

  • delete_skill_file - Delete files permanently (path-traversal protected)

Script Tools

  • run_skill_script - Execute scripts with automatic PEP 723 dependency detection

  • read_skill_env - List environment variables for a skill (keys only, values hidden for security)

  • update_skill_env - Create/update a skill's .env file

Advanced Configuration

Custom Directories

Edit skill_mcp_server.py to change default locations:

# Change skills directory SKILLS_DIR = Path("/custom/path/to/skills")

(No global secrets file; env vars are per-skill .env)

Resource Limits

Adjust limits in skill_mcp_server.py:

MAX_FILE_SIZE = 1_000_000 # File read limit (1MB) MAX_OUTPUT_SIZE = 100_000 # Script output limit (100KB)

Script timeout in the run_skill_script function:

result = subprocess.run(cmd, timeout=30) # 30 seconds

Architecture & Implementation

Package Structure

src/skill_mcp/ ā”œā”€ā”€ server.py # MCP server entry point ā”œā”€ā”€ models.py # Pydantic input/output models ā”œā”€ā”€ core/ │ ā”œā”€ā”€ config.py # Configuration constants │ └── exceptions.py # Custom exception types ā”œā”€ā”€ services/ │ ā”œā”€ā”€ env_service.py # .env file management │ ā”œā”€ā”€ file_service.py # File operations │ ā”œā”€ā”€ skill_service.py # Skill discovery & metadata │ └── script_service.py # Script execution ā”œā”€ā”€ utils/ │ ā”œā”€ā”€ path_utils.py # Secure path validation │ ā”œā”€ā”€ yaml_parser.py # YAML frontmatter parsing │ └── script_detector.py # Script capability detection └── tools/ ā”œā”€ā”€ skill_tools.py # Skill management tools ā”œā”€ā”€ file_tools.py # File operation tools └── script_tools.py # Script execution tools tests/ ā”œā”€ā”€ conftest.py # Pytest fixtures └── 9 test modules # 78 tests (82% coverage passing)

What's New

Enhanced Features:

  • āœ… Skill descriptions extracted from YAML frontmatter

  • āœ… Comprehensive skill details (files, scripts, metadata)

  • āœ… File type detection (Python, Markdown, etc.)

  • āœ… Executable identification with metadata

  • āœ… PEP 723 uv dependency detection - scripts declare own dependencies

  • āœ… Per-skill environment variables (.env files)

  • āœ… Automatic dependency management for scripts

Breaking Changes:

  • Removed global ~/.skill-mcp/secrets (now per-skill .env files)

  • Removed list_env_keys and set_env global tools

  • Replaced get_skill_files with more comprehensive get_skill_details

Test Results

Unit Tests: 78/78 Passing āœ…

Coverage: 82% (522/641 statements covered)

Comprehensive test coverage across all modules:

Module

Coverage

Tests

Core Config

100%

All paths

Models

100%

Input/Output validation

Exception Handling

100%

All exception types

YAML Parser

90%

Frontmatter parsing

Skill Service

90%

Skill discovery & metadata

File Service

89%

File operations

Environment Service

83%

.env management

Skill Tools

85%

Skill management tools

File Tools

79%

File operation tools

Script Detector

87%

Script capability detection

Path Utils

86%

Path validation & security

Server

67%

MCP tool registration

Script Service

53%

Script execution

Script Tools

61%

Script execution tools

Test Breakdown:

  • āœ… Path utilities: 4 tests

  • āœ… YAML parsing: 7 tests

  • āœ… Environment service: 7 tests

  • āœ… File service: 4 tests

  • āœ… Skill service: 5 tests

  • āœ… Script detector: 20 tests

  • āœ… Script service: 7 tests

  • āœ… Integration tests: 24 tests

Manual Tests: All Passed āœ…

  • āœ… List skills with YAML descriptions

  • āœ… Get comprehensive skill details with SKILL.md content

  • āœ… Read/create/update/delete files

  • āœ… Read/update environment variables

  • āœ… Execute scripts with auto-dependencies

  • āœ… Weather-fetcher example runs successfully

Verification Checklist

  • āœ… Server imports successfully

  • āœ… All 9 tools registered and callable

  • āœ… 78/78 unit tests passing (82% coverage)

  • āœ… All manual tests passing

  • āœ… .cursor/mcp.json configured

  • āœ… Package deployed and active

  • āœ… Scripts execute successfully

  • āœ… File operations working

  • āœ… Environment variables working

  • āœ… Backward compatible with existing skills

Best Practices

Skill Development

  • Follow the standard skill structure (SKILL.md, scripts/, references/, assets/)

  • Keep SKILL.md concise and focused

  • Use progressive disclosure (split large docs into references)

  • Test scripts immediately after creation

Environment Variables

  • Use descriptive names (API_KEY, DATABASE_URL)

  • Never log or print sensitive values

  • Set permissions on .env files: chmod 600 ~/.skill-mcp/skills/<skill-name>/.env

Script Development

  • Use meaningful exit codes (0 = success)

  • Print helpful messages to stdout

  • Print errors to stderr

  • Include error handling

  • For Python scripts with dependencies: Use inline metadata (PEP 723)

    # /// script # dependencies = [ # "package-name>=version", # ] # ///
  • Scripts without metadata use the system Python interpreter

  • Scripts with metadata automatically get isolated environments via uv

šŸ” Managing Sensitive Secrets Safely

To prevent LLMs from accessing your sensitive credentials:

āœ… RECOMMENDED: Update .env files directly on the file system

# Edit the skill's .env file directly (LLM cannot access your local files) nano ~/.skill-mcp/skills/my-skill/.env # Add your secrets manually API_KEY=your-actual-api-key-here DATABASE_PASSWORD=your-password-here OAUTH_TOKEN=your-token-here # Secure the file chmod 600 ~/.skill-mcp/skills/my-skill/.env

Why this is important:

  • āœ… LLMs never see your sensitive values

  • āœ… Secrets stay on your system only

  • āœ… No risk of credentials appearing in logs or outputs

  • āœ… Full control over sensitive data

  • āœ… Can be used with git-secret or similar tools for versioning

Workflow:

  1. Claude creates the skill structure and scripts

  2. You manually add sensitive values to .env files

  3. Claude can read the .env keys (without seeing values) and use them

  4. Scripts access secrets via environment variables at runtime

Example:

# Step 1: Claude creates skill "api-client" via MCP # You say: "Create a new skill called 'api-client'" # Step 2: You manually secure the secrets $ nano ~/.skill-mcp/skills/api-client/.env API_KEY=sk-abc123def456xyz789 ENDPOINT=https://api.example.com $ chmod 600 ~/.skill-mcp/skills/api-client/.env # Step 3: Claude can now use the skill securely # You say: "Run the API client script" # Claude reads env var names only, uses them in scripts # Your actual API key is never exposed to Claude

āŒ NEVER DO:

  • āŒ Tell Claude your actual API keys or passwords

  • āŒ Ask Claude to set environment variables with sensitive values

  • āŒ Store secrets in SKILL.md or other tracked files

  • āŒ Use update_skill_env tool with real secrets (only for non-sensitive config)

āœ… DO:

  • āœ… Update .env files manually on your system

  • āœ… Keep .env files in .gitignore

  • āœ… Use chmod 600 to restrict file access

  • āœ… Tell Claude only the variable names (e.g., "the API key is in API_KEY")

  • āœ… Keep secrets completely separate from LLM interactions

āš ļø Important: Verify LLM-Generated Code

When Claude or other LLMs create or modify skills and scripts using this MCP system, always verify the generated code before running it in production:

Security Considerations

  • āš ļø Always review generated code - LLMs can make mistakes or generate suboptimal code

  • āš ļø Check for security issues - Look for hardcoded credentials, unsafe operations, or vulnerabilities

  • āš ļø Test thoroughly - Run scripts in isolated environments first

  • āš ļø Validate permissions - Ensure scripts have appropriate file and system permissions

  • āš ļø Monitor dependencies - Review any external packages installed via PEP 723

Best Practices for LLM-Generated Skills

  1. Review before execution - Always read through generated scripts

  2. Test in isolation - Run in a safe environment before production use

  3. Use version control - Track all changes with git for audit trails

  4. Implement error handling - Add robust error handling and logging

  5. Set resource limits - Use timeouts and resource constraints

  6. Run with minimal permissions - Don't run skills as root or with elevated privileges

  7. Validate inputs - Sanitize any user-provided data

  8. Audit logs - Review what scripts actually do and track their execution

Common Things to Check

  • āŒ Hardcoded API keys, passwords, or tokens

  • āŒ Unsafe file operations or path traversal risks

  • āŒ Unvalidated external commands or shell injection risks

  • āŒ Missing error handling or edge cases

  • āŒ Resource-intensive operations without limits

  • āŒ Unsafe deserialization (eval, pickle, etc.)

  • āŒ Excessive permissions requested

  • āŒ Untrustworthy external dependencies

When in Doubt

  • Ask Claude/LLM to explain the code

  • Have another person review critical code

  • Use linters and security scanning tools

  • Run in containers or VMs for isolation

  • Start with read-only operations before destructive ones

Remember: LLM-generated code is a starting point. Your verification and review are essential for security and reliability.

Installation from PyPI

To install the package globally (optional):

pip install skill-mcp

Or use uvx to run without installation (recommended):

uvx --from skill-mcp skill-mcp-server

Development Setup

If you want to contribute or run from source:

# Clone the repository git clone https://github.com/fkesheh/skill-mcp.git cd skill-mcp # Install dependencies uv sync # Run tests uv run pytest # Run the server locally uv run -m skill_mcp.server

To use your local development version in your MCP client config:

{ "mcpServers": { "skill-mcp": { "command": "uv", "args": [ "run", "--directory", "/path/to/your/skill-mcp", "-m", "skill_mcp.server" ] } } }

License

MIT License

Copyright (c) 2025

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Contributing

This is a custom tool for personal use. Feel free to fork and adapt for your needs.

Support

For setup issues or questions, refer to:

Deploy Server
-
security - not tested
A
license - permissive license
-
quality - not tested

local-only server

The server can only run on the client's local machine because it depends on local resources.

Enables Claude to create, edit, run, and manage reusable skills stored locally, including executing scripts with automatic dependency management and environment variables. Works across all MCP-compatible clients like Cursor, Claude Desktop, and claude.ai.

  1. Quick Status
    1. Overview
      1. Key Advantages
        1. šŸ”“ Not Locked to Claude UI
        2. šŸŽÆ Use Skills Everywhere
        3. šŸ“¦ Independent & Modular
        4. šŸ”„ Share Skills Across All MCP Clients
        5. šŸ¤– LLM-Managed Skills (No Manual Copy-Paste)
      2. Features
        1. Skill Management
        2. Script Execution
        3. Environment Variables
      3. Directory Structure
        1. Quick Start
          1. 1. Install uv
          2. 2. Configure Your MCP Client
          3. 3. Restart Your MCP Client
          4. 4. Test It
        2. Common uv Commands
          1. Script Dependencies (PEP 723)
            1. Usage Examples
              1. Creating a New Skill
              2. Managing Environment Variables
              3. Running Skill Scripts
              4. Modifying Existing Skills
            2. Available MCP Tools
              1. Security Features
                1. Path Validation
                2. Environment Variables
                3. Script Execution
              2. Troubleshooting
                1. "MCP server not found"
                2. "Permission denied" errors
                3. Scripts failing to execute
                4. Environment variables not working
              3. Advanced: Tool Descriptions for LLMs
                1. Skill Tools
                2. File Tools
                3. Script Tools
              4. Advanced Configuration
                1. Custom Directories
                2. Resource Limits
              5. Architecture & Implementation
                1. Package Structure
                2. What's New
              6. Test Results
                1. Unit Tests: 78/78 Passing āœ…
                2. Manual Tests: All Passed āœ…
              7. Verification Checklist
                1. Best Practices
                  1. Skill Development
                  2. Environment Variables
                  3. Script Development
                  4. šŸ” Managing Sensitive Secrets Safely
                2. āš ļø Important: Verify LLM-Generated Code
                  1. Security Considerations
                  2. Best Practices for LLM-Generated Skills
                  3. Common Things to Check
                  4. When in Doubt
                3. Installation from PyPI
                  1. Development Setup
                    1. License
                      1. Contributing
                        1. Support

                          MCP directory API

                          We provide all the information about MCP servers via our MCP API.

                          curl -X GET 'https://glama.ai/api/mcp/v1/servers/fkesheh/skill-mcp'

                          If you have feedback or need assistance with the MCP directory API, please join our Discord server