Bind Protocol MCP server for credential verification, policy authoring, and zero-knowledge proof generation.
Security Analysis
high confidenceThe skill's requirements, instructions, and install method are consistent with a Bind Protocol MCP server integration; it requests a single Bind agent key and installs an npm package which matches the described functionality.
Name/description align with requested binaries (node, npx), the declared primary credential (BIND_API_KEY / agent key), and the npm package @bind-protocol/mcp-server — all are expected for running a local MCP server that proxies to Bind's API.
SKILL.md confines actions to installing/running the MCP server via npx, configuring client .mcp.json, and using local vs API-backed tools. It explicitly documents what data stays local and what is sent to the Bind API (notably, bind_submit_prove_job sends raw proof inputs). This is coherent with the stated purpose but has privacy implications users should understand before sending proof inputs to the service.
Install is via the npm package @bind-protocol/mcp-server (declared). This is a typical and expected mechanism for a Node-based MCP server. It's moderate risk compared with audited system packages — users should verify the npm package publisher/version before running npx to avoid pulling untrusted code.
Only a single required environment variable (BIND_API_KEY) is listed as the primary credential and is directly relevant; optional vars are for URL, receipts path, and logging. No unrelated secrets or multiple unrelated credentials are requested.
Skill does not request always:true and does not ask to modify other skills or system-wide settings. It instructs the user how to add the server to client configs (user action). Autonomous invocation is allowed by default but not combined with other red flags.
Guidance
This skill appears coherent: it runs a local MCP server (npm package) and needs a Bind agent key (idbr_agent_...). Before installing, verify the npm package and publisher (pin a version), create an agent key with minimum scope/permissions, and confirm the org audit/rotation policy. Be aware that some API-backed operations (e.g., prove job submission) will send raw proof inputs to Bind — avoid sending sensitive data unless you trust the Bind service and have appropriately scoped the agent key. Prefer environment-variable injection (as recommended) rather than embedding keys in files, and review the package's repository or published metadata before running npx.
Latest Release
v2.0.0
bind-protocol-mcp 1.0.2 Changelog - Updated documentation to reflect a unified MCP server (local and remote servers are now a single local server with API access). - Now requires an Agent key (`idbr_agent_...`) via the `BIND_API_KEY` environment variable for API-backed tools; regular API keys are no longer supported for MCP. - Clarified privacy model: all credential data remains local; only hashes, policy specs, proof inputs, and metadata are sent to the API. - Simplified setup instructions; the user configures only one server instance in their MCP client. - Expanded environment variable support and documented optional configuration paths and logging. - Tool inventory and workflow sections updated for clarity and alignment with new API key requirements and architecture.
Popular Skills
Published by @jason-c-child on ClawHub
