Context
From scanning results on PR #13 branch. MCPhound is now successfully connecting to the API (90%+ success rate after rate limit fixes), but produces 0 findings across all 50 scanned skills.
Root cause: MCPhound scans MCP server configurations for typosquatting, prompt injection in tool descriptions, etc. It needs skills that actually register MCP tools. Results show:
- ClawHub: Only 7/25 skills had tools detected by MCPhound (1-2 tools each). The rest showed
toolCount: 0.
- skills.sh: All 25 showed
toolCount: 0 because skills.sh skills are instruction files, not MCP servers.
Proposed improvements
- Skip MCPhound for skills.sh skills: These are markdown instruction files, not MCP server packages. Running MCPhound on them wastes API quota.
- Prioritize ClawHub skills with known tools: If MCPhound reports
toolCount > 0, re-scan those periodically. Skills with toolCount: 0 are not useful for MCPhound.
- Consider enriching mcp-config.json: For ClawHub skills resolved to npm packages, we could generate richer configs by querying the npm registry for the package's actual tool definitions.
Context
From scanning results on PR #13 branch. MCPhound is now successfully connecting to the API (90%+ success rate after rate limit fixes), but produces 0 findings across all 50 scanned skills.
Root cause: MCPhound scans MCP server configurations for typosquatting, prompt injection in tool descriptions, etc. It needs skills that actually register MCP tools. Results show:
toolCount: 0.toolCount: 0because skills.sh skills are instruction files, not MCP servers.Proposed improvements
toolCount > 0, re-scan those periodically. Skills withtoolCount: 0are not useful for MCPhound.