mcp-reference-server
Verified Safeby chief-builder
Overview
An AI agent server that orchestrates LLM interactions with tool execution for the Model Context Protocol (MCP).
Installation
npx mcp-reference-serverEnvironment Variables
- MCP_CURSOR_SECRET
- ANTHROPIC_API_KEY
- OPENROUTER_API_KEY
- MCP_PORT
- MCP_HOST
- MCP_TRANSPORT
- MCP_STATELESS_MODE
- MCP_PAGINATION_DEFAULT
- MCP_PAGINATION_MAX
- MCP_REQUEST_TIMEOUT_MS
- MCP_SHUTDOWN_TIMEOUT_MS
- MCP_PROGRESS_INTERVAL_MS
- MCP_DEBUG
- MCP_LOG_LEVEL
- MCP_AUTH0_DOMAIN
- MCP_AUTH0_AUDIENCE
- MCP_AUTH0_CLIENT_ID
- MCP_M2M_CLIENT_SECRET
- OTEL_EXPORTER_OTLP_ENDPOINT
- OTEL_SERVICE_NAME
- MCP_TELEMETRY_ENABLED
- MCP_RESOURCE_URL
- MCP_AUTH_SERVERS
Security Notes
The server implements strong input validation using Zod and JSON Schema. It includes DoS protection for HTTP (body size limit) and stdio (line length limit). OAuth and PKCE implementations use Node.js crypto's timing-safe comparisons. JWT signature verification uses the `jose` library. However, the default HTTP transport configuration allows all CORS origins (`allowedOrigins: ['*']`), which is explicitly marked as 'not recommended for production' and poses a significant security risk if deployed without proper configuration. Additionally, the client-side CLI uses `shell-quote` to parse server commands, which, while safer than simple splitting, can still be a vector for command injection if '--server' arguments are not fully trusted.
Similar Servers
boilerplate-mcp-server
Provides a production-ready foundation for developing custom Model Context Protocol (MCP) servers in TypeScript to connect AI assistants with external APIs and data sources, exemplified by an IP geolocation tool.
zeromcp
A minimal, pure Python Model Context Protocol (MCP) server for exposing tools, resources, and prompts via HTTP/SSE and Stdio transports.
mcp-typescript-starter
A feature-complete Model Context Protocol (MCP) server template in TypeScript demonstrating all major MCP features for AI assistant interaction.
mcp_server
This server implements the Model Context Protocol (MCP) to expose developer-defined tools as a HTTP API, specifically demonstrating a task creation tool.