test-mcp-by-cli

The skill is coherent in aiming to test MCP servers via mcp-cli and uses well-defined steps for verification and debugging. However, the install approach (curl | bash from raw.githubusercontent.com) introduces a non-trivial supply-chain risk because it downloads and executes code from an untrusted, external source rather than a verified package registry. This alone warrants elevated scrutiny. The rest of the workflow (CLI invocations, environment controls, and JSON argument handling) aligns with the stated purpose and does not introduce credential harvesting or unneeded broad access, but the installation path and potential for unverified scripts executing in the agent’s environment push the overall risk into the suspicious category. If the installation were constrained to official registries or signed and verifiable installers, the risk would be more clearly benign.