Skip to content

fix: remove .mcp.json to stop shadowing user-scope skillsmp (v1.4.2)#5

Merged
girofu merged 2 commits intomainfrom
girofu/fix-mcp-shadow
Apr 23, 2026
Merged

fix: remove .mcp.json to stop shadowing user-scope skillsmp (v1.4.2)#5
girofu merged 2 commits intomainfrom
girofu/fix-mcp-shadow

Conversation

@girofu
Copy link
Copy Markdown
Owner

@girofu girofu commented Apr 23, 2026

Summary

  • Fix: remove repo-root `.mcp.json`. It registered a project-scope `skillsmp` MCP server with no `SKILLSMP_API_KEY`. Because the entire repo is the plugin payload (`marketplace.json` → `source: "./"`), every v1.4.1 plugin user's properly-configured user-scope `skillsmp` (where the key lives) was silently overridden, causing SkillsMP semantic + keyword search (Sources 1–2) to fail without any visible error.
  • Release: bump `.claude-plugin/plugin.json` to `1.4.2` and finalize CHANGELOG. Cut annotated tag `v1.4.2` + GitHub Release after merge.

Why now

v1.4.1 was released 2026-04-23 04:51Z. Plugin-installed users currently see broken SkillsMP tools (they appear as MCP tools but calls fail). Fix is strictly subtractive — deleting one 88-byte invalid config file — and unblocks the intended semantic-search path.

Blast radius by install path

Path Before fix After fix
`claude plugin install` Broken — keyless .mcp.json shadows user-scope skillsmp `claude plugin update` does `git pull`, removes the file; user-scope version (with key) becomes active
`npx skills add` Unaffected (whitelist: `skills/skill-fetch/*` only) Unaffected
`curl install.sh | bash` Unaffected (hardcoded `FILES[]`) Unaffected
`install.py` Unaffected (hardcoded `FILES`) Unaffected

Only the plugin path is affected, and `git pull`-based plugin updates propagate file deletions correctly, so existing v1.4.1 plugin users auto-heal on next `claude plugin update`.

Migration

Users who want SkillsMP semantic search must register the server once at user scope:
```bash
claude mcp add --scope user skillsmp -- npx -y skillsmp-mcp-server --env SKILLSMP_API_KEY=your_key
```
Or interactively via `/fetch-skill-config` (already documented in README §SkillsMP).

Test plan

  • Verify `install.sh` / `install.py` `FILES[]` whitelist does not reference `.mcp.json` (grep-confirmed)
  • Verify `marketplace.json` `source: "./"` means plugin payload = entire repo (read manifest)
  • Fresh clone of main confirms `.mcp.json` exists on origin pre-merge (88 bytes) and disappears on this branch
  • Post-merge: cut `v1.4.2` tag + GitHub Release
  • Post-release: verify `claude plugin update skill-fetch` on a test machine removes the stale `.mcp.json`

🤖 Generated with Claude Code

girofu and others added 2 commits April 23, 2026 15:25
@girofu @claude
fix: remove .mcp.json to stop shadowing user-scope skillsmp
a9de283 
The committed project-scope .mcp.json registered a keyless skillsmp MCP
server that overrode the user-scope registration carrying SKILLSMP_API_KEY.
Because project-scope takes precedence, the actually-running server had
no API key and SkillsMP calls silently failed.

Drop the file entirely — a public repo cannot carry the secret, and README
§SkillsMP + /fetch-skill-config already guide users to register via
`claude mcp add --scope user`, which is the working path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@girofu @claude
chore: bump to 1.4.2 and finalize CHANGELOG
ecbdfed 
Move the MCP shadow fix from [Unreleased] to [1.4.2] and bump
plugin.json so plugin consumers picking up skill-fetch@latest get
the fix on next update.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@girofu girofu merged commit 094c6f8 into main Apr 23, 2026
3 checks passed
@girofu girofu deleted the girofu/fix-mcp-shadow branch April 23, 2026 07:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@girofu