mcp-bundle-factory
Verified Safeby descentit
Overview
A proxy server that dynamically downloads and runs third-party Model Context Protocol (MCP) servers from npm or GitHub releases at runtime, enabling distribution via Claude Teams without bundling proprietary code and providing automatic updates.
Installation
node server/index.jsEnvironment Variables
- MCP_LOG_LEVEL
- MCP_HEALTH_CHECK_INTERVAL
- MCP_MAX_RESTART_ATTEMPTS
- MCP_RESTART_BACKOFF_MS
- PAX8_TOKEN
- PAX8_ENDPOINT
- GITHUB_PERSONAL_ACCESS_TOKEN
- MCP_SERVER_ID
- MCP_COMMAND
- MCP_ARGS
- MCP_TARGET_PACKAGE
- MCP_TARGET_VERSION
- MCP_TARGET_REGISTRY
- MCP_TARGET_ENTRY_POINT
- MCP_CACHE_DOWNLOADS
- MCP_CACHE_DIR
- MCP_STARTUP_TIMEOUT
- MCP_CRED_*
Security Notes
The `ProcessManager` utilizes `shell: true` when spawning child processes, which is a known security risk if the `command` or `args` are user-controlled without strict sanitization. While the base `command` and `args` are embedded in the bundle's `server-config.json`, user-provided configuration values (e.g., API keys, endpoints) are substituted directly into these `args` as environment variables. If these user inputs are not properly validated or sanitized by the Claude Desktop environment before being passed to the proxy, a malicious user could potentially inject shell commands. The `downloader.js` also uses `spawn` for `powershell`, `unzip`, and `tar` for archive extraction; however, the paths and commands for these are constructed internally based on trusted configuration. No `eval` is found. Credentials are passed via environment variables and marked sensitive, suggesting secure handling by Claude Desktop.
Similar Servers
claude-code-subagents-collection
The repository serves as a comprehensive marketplace and registry for Claude Code, offering a wide array of specialized AI agents, commands, hooks, and a catalog of external Model Context Protocol (MCP) servers to enhance development workflows.
mcp-manager
A web GUI to easily manage and configure Model Context Protocol (MCP) servers for the Claude Desktop app on MacOS, generating terminal commands for installation and setup.
modular-mcp
A proxy server that efficiently manages and loads large tool collections from multiple Model Context Protocol (MCP) servers on-demand for LLMs, reducing context overhead.
emceepee
A proxy server enabling AI agents to dynamically connect to and interact with multiple Model Context Protocol (MCP) backend servers, exposing the full MCP protocol via a simplified tool interface or a sandboxed JavaScript execution environment.