openapi-mcp
by Cronos402
Overview
Converts OpenAPI specifications into MCP-compatible API endpoints, providing a universal adapter for AI agents to interact with any HTTP API.
Installation
pnpm startEnvironment Variables
- PORT
Security Notes
CRITICAL: The server is vulnerable to Server-Side Request Forgery (SSRF) because it fetches arbitrary OpenAPI specification URLs provided by the user via the `url` query parameter. An attacker could use this to scan internal networks, access cloud metadata services (e.g., AWS EC2 metadata), or interact with other unauthorized internal resources from the server's perspective. The `getToolsFromOpenApi` and initial `fetch` operations are performed without validating the `url` parameter against a whitelist or restricting its scope. While internal processing uses Zod for parameter validation and some header sanitization, the initial fetching of the spec itself poses a severe risk. There are no apparent hardcoded secrets or direct command injection vulnerabilities.
Similar Servers
mcpo
Exposes Model Context Protocol (MCP) tools as OpenAPI-compatible HTTP servers.
Unla
Transforms existing MCP Servers and APIs into MCP protocol-compliant endpoints through configuration, enabling LLM tool calling without code changes.
MyMCP
Dynamically convert any OpenAPI v3 specification into a fully-functional Model Context Protocol (MCP) server, exposing external APIs as MCP tools.
openapi-mcp-server
Converts OpenAPI specifications into Model Context Protocol (MCP) tools, enabling AI assistants to interact with APIs.