mcp-github-app-auth
Verified Safeby legido-ai
Overview
Provides a Model Context Protocol (MCP) server for GitHub operations, primarily focused on securely obtaining temporary GitHub App authentication tokens for various Git and GitHub API actions.
Installation
docker run -i --rm -e GITHUB_APP_ID="$GITHUB_APP_ID" -e GITHUB_PRIVATE_KEY="$GITHUB_PRIVATE_KEY" -e GITHUB_INSTALLATION_ID="$GITHUB_INSTALLATION_ID" ghcr.io/legido-ai/mcp-github-app-auth:latestEnvironment Variables
- GITHUB_APP_ID
- GITHUB_PRIVATE_KEY
- GITHUB_INSTALLATION_ID
- GITHUB_API_HOST
Security Notes
The core server logic handles environment variables for credentials and uses `subprocess.run` with list arguments for Git commands, which is generally safe. However, the `mcp_test.sh` script uses `eval "$SERVER_CMD"` where `SERVER_CMD` is constructed using environment variables. This creates a shell injection vulnerability if `GITHUB_PRIVATE_KEY` or other `GITHUB_*` environment variables contain malicious shell metacharacters. While this `eval` is confined to a testing script and not the primary server execution path (e.g., direct `python` execution or the recommended `docker run` from the README), it represents a significant security oversight in the repository's practices. There are no hardcoded secrets or obfuscation found. Network communication relies on standard HTTPS with GitHub API.
Similar Servers
ggmcp
A focused MCP server for developers, providing remediation tools for secrets detected in code and honeytoken management capabilities.
gh-mcp
A GitHub CLI extension to seamlessly run the github-mcp-server in a Docker container using existing `gh` authentication.
mcp-maintainer-toolkit
This server provides a Model Context Protocol (MCP) interface with various tools and resources designed to assist in maintaining, testing, and developing MCP repositories and clients.
mcp-gihub-integration
This package provides a GitHub API client for integration with an MCP (Model Context Protocol) server, enabling automation of GitHub tasks.