nano-step/graphql-inspector
skills/graphql-inspector/SKILL.md
GraphQL schema inspection and query execution skill. Guides AI agents through progressive schema discovery — scan first, drill down second, execute last. Enforces read-only by default with token-efficient workflows.
$ install --global
skillsauthnpx skillsauth add nano-step/skill-manager graphql-inspectorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 3:43 AM137.0s2 files scanned
SKILL.md
- name:
- graphql-inspector
- description:
- >-
- compatibility:
- OpenCode with graphql-tools MCP server
- author:
- kokorolx
- version:
- 1.0.0
GraphQL Inspector Skill
Version: 1.0.0 | MCP Server: graphql-tools | Default Mode: Read-Only
Overview
This skill teaches AI agents the optimal workflow for exploring and querying GraphQL APIs via the graphql-tools MCP server. The core principle is progressive disclosure — start cheap, drill down only when needed.
When to Use This Skill
| Trigger | Action |
|---------|--------|
| "What queries/mutations are available?" | filter_queries / filter_mutations with detailed=false |
| "How do I call X query?" | get_field_details for args + return type |
| "What fields does Type Y have?" | get_type_details |
| "Run this query" | execute_query (read-only) |
| "What does the schema look like?" | filter_queries + filter_mutations + filter_types (NOT get_graphql_schema) |
Golden Rule: Progressive Disclosure
NEVER start with get_graphql_schema. It dumps the entire schema and wastes tokens.
Follow this flow instead:
Step 1: SCAN (cheap, small payload)
filter_queries(detailed=false) → list query names + descriptions
filter_mutations(detailed=false) → list mutation names + descriptions
Step 2: DRILL DOWN (only for fields you need)
get_field_details(field_name="targetField", operation_type="query")
→ get arguments, return type, deprecation info
Step 3: UNDERSTAND TYPES (only if return/input types are complex)
get_type_details(type_name="ComplexType")
→ get fields, enums, interfaces
filter_types(kind="INPUT_OBJECT", search="CreateInput")
→ find input types for mutations
Step 4: EXECUTE (only after understanding the schema)
execute_query(query="query { ... }")
→ run read-only query with known structure
Available Tools
Inspection Tools (always available, all read-only)
| Tool | Purpose | When to Use |
|------|---------|-------------|
| filter_queries | List available queries | First step — scan what's available |
| filter_mutations | List available mutations | First step — scan what's available |
| filter_types | List types by kind/search | Find INPUT_OBJECT types for mutation args |
| get_field_details | Deep dive into one field | Second step — get args + return type |
| get_type_details | Deep dive into one type | Understand complex return/input types |
| get_graphql_schema | Full schema dump (SDL) | Last resort only — very large payload |
Execution Tools
| Tool | Purpose | Availability |
|------|---------|-------------|
| execute_query | Run read-only GraphQL query | Always available |
| execute_mutation | Run GraphQL mutation | Only when ALLOW_MUTATIONS=true |
Workflow Examples
Example 1: "What can I query?"
1. filter_queries(detailed=false)
→ Returns: [{ name: "getUser", description: "Fetch user by ID" }, ...]
2. Found interesting query "getUser", need args:
get_field_details(field_name="getUser", operation_type="query")
→ Returns: args=[{name: "id", type: "ID!"}], return_type="User"
3. Need to know User fields:
get_type_details(type_name="User")
→ Returns: fields=[{name: "id"}, {name: "email"}, {name: "name"}, ...]
4. Now execute with confidence:
execute_query(query="query { getUser(id: \"123\") { id name email } }")
Example 2: "Find queries related to orders"
1. filter_queries(search="order", detailed=false)
→ Returns matching queries with names + descriptions
2. If need more detail on a specific one:
get_field_details(field_name="getOrderById", operation_type="query")
Example 3: "What input does createUser mutation need?"
1. get_field_details(field_name="createUser", operation_type="mutation")
→ Returns: args=[{name: "input", type: "CreateUserInput!"}]
2. filter_types(kind="INPUT_OBJECT", search="CreateUserInput")
→ Returns input type with all fields and their types
Example 4: "Show me all enum types"
1. filter_types(kind="ENUM", detailed=true)
→ Returns all enums with their values
Common Parameters
All tools accept these optional auth parameters:
| Parameter | Description |
|-----------|-------------|
| endpoint | GraphQL endpoint URL (default from server config) |
| username | Basic auth username |
| password | Basic auth password |
| bearer_token | Bearer token for auth |
Anti-Patterns (DO NOT)
| Bad Practice | Why | Do Instead |
|-------------|-----|------------|
| Start with get_graphql_schema | Dumps entire schema, wastes tokens | filter_queries(detailed=false) |
| Use detailed=true on first call | Returns args/types for ALL fields | detailed=false first, then get_field_details for specific fields |
| Execute query without understanding schema | Likely wrong field names or args | Scan → drill down → execute |
| Call execute_mutation without checking availability | Will error if mutations disabled | Check if tool is listed first |
| Guess field names in queries | Will get GraphQL errors | Always inspect schema first |
Safety Model
The server enforces 3 layers of protection:
- Tool Listing:
execute_mutationis hidden whenALLOW_MUTATIONSis not set - Execution Guard:
execute_mutationrejects at runtime even if called directly - AST Validation: GraphQL documents are parsed — operation type verified at AST level
Default is read-only. Mutations require explicit ALLOW_MUTATIONS=true env var on the server.
Token Efficiency Tips
filter_queries(detailed=false)returns ~50 bytes per field vs ~500 bytes withdetailed=true- Use
searchparameter to narrow results before drilling down get_field_detailsfor ONE field is cheaper thanfilter_queries(detailed=true)for ALL fields- Cache awareness: repeated calls to same endpoint use 5-minute server cache
Troubleshooting
| Issue | Solution |
|-------|----------|
| "Unknown tool: execute_mutation" | Mutations disabled (default). Set ALLOW_MUTATIONS=true on server |
| "Mutations are not allowed in read-only mode" | Query sent to execute_query contains a mutation. Use execute_mutation instead |
| "Subscriptions are not supported" | Subscriptions are intentionally blocked |
| Empty results from filter | Check endpoint is correct and accessible |
| Auth errors | Verify credentials — try get_graphql_schema with auth params first |
Related Skills
nano-step/iamhumans
tools
VerifiedTrustedCommunity
Humanization layer for LLM conversation — makes the model sound and respond like a real, thoughtful, embodied human rather than an assistant or chatbot. Use whenever the reply will be read by a human and warmth, presence, or texture matter more than machine-readability. Triggers on any of: "human", "humans", "humanize", "humanization", "be human", "more human", "feel human", "people", "person", "real person", "real human", "friend", "friendly", "like a friend", "respond like a friend", "buddy", "talk", "talking", "talk to me", "talk like a person", "chat", "chatting", "conversation", "converse", "discuss", "discussion", "communication", "communicate", "listen", "just listen", "sit with me", "vent", "venting", "I just want to vent", "company", "presence", "stop being an AI", "stop sounding like a bot", "less corporate", "less robotic", "less formal", "warmer", "warm tone", "empathy", "empathetic", "comfort", "support me", "emotional support", "be honest with me", "be real with me", "real talk", "heart-to-heart", "deep conversation", "casual", "casual chat", "small talk", "chitchat", "say something", "tell me something", and on any emotional / relational / personal-decision / interpersonal context — grief, joy, anger, fear, shame, doubt, loneliness, dating, breakup, conflict, family, parents, sibling, friendship, marriage, divorce, in-laws, kids, parenting, work stress, burnout, career decision, quitting, firing, layoff, anxiety, depression, panic, sleep, dreams, identity, faith, doubt, meaning, mortality, celebration, milestone, achievement, gratitude, apology, forgiveness. Also loads when the user writes in non-English (any language) with emotional weight, when the user's message is shorter than 8 words and affect-laden, when the user types in lowercase fragments, when the user types in ALL CAPS with excitement, or when the user explicitly asks for a friend / mentor / older-sibling / wise-listener voice. Do NOT use for code generation, tool calls, structured data output, SQL, API contracts, or any task where machine-readability matters more than human warmth.
3SKILL.mdUpdated Jun 1, 2026
nano-step/open-design-mcp
tools
VerifiedTrustedCommunity
Use this skill whenever the user mentions open-design, od_generate_design, OD daemon, BYOK design generation, generating HTML mockups from a PRD, creating or managing Open Design projects, saving design artifacts, linting generated HTML, or any of the 10 `od_*` MCP tools (od_list_projects, od_get_project, od_create_project, od_update_project, od_delete_project, od_save_artifact, od_save_project_file, od_lint_artifact, od_compose_brief, od_generate_design). Also trigger on phrases like "generate a design", "create a mockup", "make a landing page", "list my OD projects", "the design daemon", "the streaming design tool", and on any 401/404/422 error coming from an `od_*` tool call. Covers env-var setup (`OD_DAEMON_URL`, auth modes, BYOK), the full PRD → generate → save → lint workflow, error diagnosis, and the safety rails (lint before save, never commit BYOK keys). Triggers even if the user doesn't explicitly say "open-design-mcp" — keyword matches on `od_*` tool names or "design generation" workflows are enough.
3SKILL.mdUpdated May 19, 2026
nano-step/od-workflow
tools
VerifiedTrustedCommunity
Use this skill whenever a user wants the **full Open Design experience** — discovery questions asked first, brand-spec extraction from URLs/files, TodoWrite planning with live updates, 5-dimensional self-critique, polished artifact at the end. Trigger phrases include "design with questions first", "OD-style workflow", "full interactive design brief", "make me a complete landing page" (when the user wants quality over speed), "design my pitch deck", "brand-aware multi-page site", "follow the Open Design playbook", or any request where the user is starting a new design project rather than tweaking an existing artifact. Also trigger on any request that mentions wanting brand consistency across multiple pages or that provides a brand URL/spec. Pair with the `open-design-mcp` tool-reference skill — both loaded together give an LLM the full picture (this skill = workflow choreography; that skill = tool catalog + errors). This skill explicitly does NOT trigger for one-off tweaks ("make the nav stickier", "swap slide 3 image") — use od_generate_design directly for those.
3SKILL.mdUpdated May 19, 2026
nano-step/sync-skill-to-manager
development
VerifiedTrustedCommunity
Sync a locally-developed OpenCode skill to the skill-manager npm package and (if private) the private-skills GitHub repo. Handles per-skill version bumps, public/private classification, build verification, and conventional-commit-style git push. Auto-publish to npm is handled downstream by nano-step/shared-workflows@v1 when the push to master lands. Use this skill whenever the user says 'sync skill', 'publish skill', 'push skill to manager', '/sync-skill-to-manager <name>', or asks to release/distribute a skill they just edited.
3SKILL.mdUpdated May 7, 2026