scaffold-mcp-server

This document is a scaffolding instruction for creating MCP servers and does not itself contain malicious code or explicit credential-exfiltration instructions. The primary risks are standard supply-chain and configuration issues: executing package manager installs (un-pinned), reliance on third-party SDKs, and potential mishandling of authentication credentials or stdout protocol. There are no curl|bash download-execute chains, no references to known exfiltration endpoints, and no obfuscated or dynamic code execution patterns inside the provided text. Recommended mitigations: pin dependency versions, review installed SDK/package reputations, ensure handlers avoid printing to stdout for stdio transport, validate middleware correctly handles and stores API keys, and run generated code in isolated environments before production use.