Add client utilities for downloading skills

[jlowin]

Adds client-side utilities for discovering and downloading skills from MCP servers that expose them via SkillsProvider.

from fastmcp import Client
from fastmcp.utilities.skills import list_skills, download_skill, sync_skills

async with Client("http://skills-server/mcp") as client:
    # See what's available
    skills = await list_skills(client)
    
    # Download one
    await download_skill(client, "pdf-processing", "~/.claude/skills")
    
    # Or sync everything
    await sync_skills(client, "~/.claude/skills")

The utilities work by reading the standard skill://{name}/_manifest resources that SkillsProvider exposes - no special protocol needed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bb5af39b7b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reject manifest paths that escape the target directory

The download loop trusts file_info.path from the server manifest and directly joins it with skill_dir. If a remote server returns paths like ../../.ssh/authorized_keys or absolute paths, this will write outside the intended skills folder (the subsequent mkdir/write_* calls will happily create or overwrite files). This is a security issue whenever these utilities are used against untrusted servers. Consider resolving the candidate path and enforcing is_relative_to(skill_dir) (and rejecting absolute paths) before creating directories or writing files.

Useful? React with 👍 / 👎.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds client-side skills utilities and examples for FastMCP. New module src/fastmcp/utilities/skills.py introduces dataclasses (SkillSummary, SkillFile, SkillManifest) and async functions (list_skills, get_skill_manifest, download_skill, sync_skills) to discover and download MCP skills. Adds example script examples/skills/download_skills.py demonstrating listing and downloading skills. Adds documentation in docs/servers/providers/skills.mdx with usage examples; the documentation block appears duplicated in the diff. No API signature removals or other public-entity deletions.

Possibly related PRs

• Add Skills Provider for exposing agent skills as MCP resources #2944: Adds the Skills provider that emits skill:// resources and the _manifest JSON used by the new client utilities.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add client utilities for downloading skills' directly summarizes the main change: introducing new client-side utilities for skill discovery and download.
Description check	✅ Passed	The PR description clearly explains the feature, provides code examples, and describes how the utilities work, though it doesn't include all checklist items from the template.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/fastmcp/utilities/skills.py (2)

176-179: Consider logging or warning when a file cannot be read.

Silently continuing when read_resource returns empty could hide server-side issues. While this keeps the function resilient, users may not realize files were skipped.

Optional: Add logging for skipped files

+import logging
+
+logger = logging.getLogger(__name__)
+
 # In download_skill function:
         if not result:
+            logger.warning(f"Could not read resource: {file_uri}")
             continue

---

231-239: Consider handling partial failures gracefully.

If download_skill raises ValueError (e.g., missing manifest), sync_skills aborts entirely. Depending on intended behavior, you might want to catch and log errors for individual skills while continuing with others.

Optional: Continue on individual skill failures

     for skill in skills:
         try:
             path = await download_skill(
                 client, skill.name, target_dir, overwrite=overwrite
             )
             downloaded.append(path)
         except FileExistsError:
             # Skip existing skills when not overwriting
             continue
+        except ValueError as e:
+            # Log and skip skills that fail to download
+            logger.warning(f"Failed to download skill '{skill.name}': {e}")
+            continue

[coderabbitai]

Actionable comments posted: 2