Unla
Verified Safeby AmoyLab
Overview
Transforms existing MCP Servers and APIs into MCP protocol-compliant endpoints through configuration, enabling LLM tool calling without code changes.
Installation
docker run -d --name unla -p 8080:80 -p 5234:5234 -p 5235:5235 -p 5335:5335 -p 5236:5236 -e ENV=production -e TZ=Asia/Shanghai -e APISERVER_JWT_SECRET_KEY="changeme-please-generate-a-random-secret" -e SUPER_ADMIN_USERNAME="admin" -e SUPER_ADMIN_PASSWORD="changeme-please-use-a-secure-password" --restart unless-stopped ghcr.io/amoylab/unla/allinone:latestEnvironment Variables
- APISERVER_JWT_SECRET_KEY
- SUPER_ADMIN_USERNAME
- SUPER_ADMIN_PASSWORD
- ENV
- TZ
- GATEWAY_STORAGE_TYPE
- APISERVER_DB_TYPE
- NOTIFIER_TYPE
- SESSION_STORAGE_TYPE
- OAUTH2_STORAGE_TYPE
- APISERVER_OAUTH_GOOGLE_CLIENT_ID
- APISERVER_OAUTH_GOOGLE_CLIENT_SECRET
- APISERVER_OAUTH_GITHUB_CLIENT_ID
- APISERVER_OAUTH_GITHUB_CLIENT_SECRET
Security Notes
The system's core functionality relies on processing user-provided YAML configurations and OpenAPI specifications to dynamically build API tools. This design choice, while flexible, significantly shifts the security burden to ensuring the integrity and proper validation of these configurations. Malicious configurations or OpenAPI imports could lead to Server-Side Request Forgery (SSRF), data exfiltration, or injection vulnerabilities if templated fields (e.g., endpoint URLs, request/response bodies, headers) are not thoroughly sanitized and validated against internal access or unintended external interactions. The use of environment variables for sensitive data like JWT secrets and admin passwords is good practice, and authentication/authorization mechanisms are present for management APIs. However, the code using Go templates (`text/template` not `html/template`) for dynamic content requires careful auditing to prevent content injection. The `toJSON` function used for arguments in request bodies, if not securely implemented, could also pose a risk.
Similar Servers
mcpo
Exposes Model Context Protocol (MCP) tools as OpenAPI-compatible HTTP servers.
mcp-context-forge
Converts web content (HTML, PDF, DOCX, etc.) and local files from a URL into high-quality Markdown format. It supports multiple conversion engines, content optimization, batch processing, and image handling.
mcphub
An orchestration hub that aggregates, manages, and routes Model Context Protocol (MCP) servers and their tools, providing a centralized interface, user management, OAuth 2.0 authorization server capabilities, and AI-powered tool discovery and routing.
toolhive-registry-server
The central metadata hub for enterprise Model Context Protocol (MCP) server governance and discovery, implementing the official MCP Registry API specification.