bmad-mcp-server
by mkellerman
Overview
Provides AI assistants with access to specialized agents and automated workflows from the BMAD (Business Methodology Automation and Delivery) methodology.
Installation
npx -y bmad-mcp-serverEnvironment Variables
- BMAD_ROOT
- BMAD_DEBUG
- LITELLM_PROXY_URL
- LITELLM_PROXY_API_KEY
- LLM_MODEL
- SKIP_LLM_TESTS
- LITELLM_PORT
- NODE_ENV
Security Notes
A critical path traversal vulnerability exists in the `ReadResourceRequestSchema` handler and `ResourceLoaderGit.loadFile` function. If a malicious actor can control the `uri` parameter (e.g., `bmad:///etc/passwd` or `bmad://../../../../etc/passwd`), they can read arbitrary files on the system that the Node.js process has access to. The `path.join` function, when given an absolute path segment (like `/etc/passwd`) or enough `../` segments, can escape the intended `bmadRoot` directory. This allows unauthorized access to sensitive data. Additionally, while Git cloning to `~/.bmad/cache/git` limits impact, it still involves executing external `git` commands with URLs that could potentially be malicious, though `--depth 1` helps mitigate some deep repository risks.
Similar Servers
mcp-servers
A curated collection of Model Context Protocol (MCP) server configurations to integrate various developer tools and services with AI agents.
Polymcp
A comprehensive TypeScript framework for building and orchestrating Model Context Protocol (MCP) servers and AI agents, enabling LLMs to intelligently discover, select, and execute external tools.
MCP-Agent
An autonomous AI agent designed to discover, connect to, and utilize tools and resources from various Model Context Protocol (MCP) servers to accomplish tasks.
mcp-agentic-sdlc
A comprehensive framework for managing software development lifecycle with AI agents, combining structured development processes with intelligent workflow management.