spec v0.1
EN

Skills

Example Skills

Six agent skills for creating, controlling, and auditing an MCP server, built according to the same MCP-first rules they enforce.

A skill is a packaged workflow, the third building block of an MCP-first system (Prompts / Workflows). It guides an agent through a multi-step process without requiring it to click through interfaces.

The following example skills operate the MCP server itself: creating, controlling, and auditing it. Crucially: these skills follow the same rules they enforce. Every risky step carries a risk level, write and critical steps are behind a confirmation gate, and every action produces an audit event.

Create

mcp.scaffold_server
High

Bootstraps a capability-first MCP server: domain actions first, typed schemas, policy engine, risk metadata, and audit, before any interface is built.

trigger "Create an MCP server for …" Create

Ablauf

  1. Model domain actions, business logic stays in the domain, not in the server. Low
  2. Generate typed input, output, and error schemas for each action. Low
  3. Assign a risk level and confirmation policy to each tool. Medium
  4. Wire up the policy engine (can(user, action, resource, context)) and audit events. Medium
  5. Generate server as an adapter: discovery, schema exposure, policy checks, audit logging. High
  6. Register write and critical tools only after explicit approval. Critical ⏸ Freigabe

Hält sich an

  • Capabilities over screens, capabilities first, no UI assumptions.
  • Typed inputs and outputs, no loose JSON.
  • Policies over trust, every capability gets permissions and risk.
  • Audit over opacity, every action produces an audit event.
capability.add
High

Adds a new capability according to the tool contract standard. Nothing is registered without a complete contract.

trigger "Add a tool/resource for …" Create

Ablauf

  1. Clarify user intent and category; check existing capability as a template. Low
  2. Define input/output/error schema and required scopes. Low
  3. Set risk level, side effects, and audit event. Medium
  4. Determine confirmation policy (autonomous, confirmation, step-up, four-eyes, not for AI). Medium
  5. Provide a dry-run mode for risky tools. Medium
  6. Register capability and enable it in discovery. High ⏸ Freigabe

Hält sich an

  • Tools over buttons, one unified contract per capability.
  • Confirmation over blind automation, policy before registration.
  • Dry run for risky actions.

Control

mcp.control_visibility
High

Controls tool visibility per user, client, tenant, role, and scope, already at discovery, not only at call time.

trigger "Which tools may agent X see?" Control

Ablauf

  1. Resolve identity and context: user, MCP client, agent identity, tenant. Low
  2. Calculate effective permissions (user + agent + client trust + resource sensitivity). Low
  3. Filter tool list to allowed capabilities; do not deliver forbidden tools at all. Medium
  4. Adjust confirmation policies per role. High ⏸ Freigabe

Hält sich an

  • Tool visibility by permissions, filter at discovery.
  • Context over raw data, only what the agent needs.
  • Policies over trust.
mcp.connect_client
Critical

Connects an MCP client in a controlled way: OAuth 2.1 authorization code with PKCE, allowlist, short tokens, refresh rotation.

trigger "Connect client … to the MCP server" Control

Ablauf

  1. Check client against the allowlist; validate redirect URIs. Medium
  2. Set up OAuth 2.1 + PKCE, configure short access token lifetimes. High
  3. Grant minimal scopes (least privilege), enable refresh rotation. High
  4. Activate client, with admin step-up auth. Critical ⏸ Freigabe

Hält sich an

  • Human UI / clients as client, the core remains the capability layer.
  • Step-up authentication for critical actions.
  • Audit over opacity, client activation is audited.

Audit

mcp.audit_trail
Low

Read-only review: reads audit trail and risk coverage, runs through the MCP-first checklist, and reports gaps. Changes nothing.

trigger "Audit the MCP server against MCP-first" Audit

Ablauf

  1. Read capability inventory and their risk levels. Low
  2. Check audit events for completeness and redaction of sensitive inputs. Low
  3. Flag tools without risk classification or confirmation policy. Low
  4. Cross-check forbidden-for-AI capabilities against actual visibility. Low
  5. Output findings as a structured report, no write action. Low

Hält sich an

  • Audit over opacity, every action traceable.
  • 100% controllable, not 100% autonomous, the audit itself changes nothing.
  • Context over raw data, report instead of database dump.
mcp.harden_security
Critical

Checks and increases protection: protection classes, step-up coverage, redaction, rate limits, and prompt injection protection. Changes require approval.

trigger "Harden the security of the MCP server" Audit

Ablauf

  1. Check sensitive areas and protection classes per resource/tool. Low
  2. Verify step-up auth for critical tools; propose missing ones. Medium
  3. Check redaction rules and context filtering for AI access. Medium
  4. Evaluate rate limits and prompt injection protection. High
  5. Apply policy changes, with admin approval (four-eyes). Critical ⏸ Freigabe

Hält sich an

  • Policies over trust, AI is controlled, not trusted.
  • Confirmation over blind automation, policy changes require approval.
  • Context over raw data, redaction for sensitive data.

Build capabilities once. Expose them everywhere, including the skills that operate the server itself.

Skills are Workflows