mcpm
by spre-sre
Overview
A CLI tool for installing and managing Model Context Protocol (MCP) servers, facilitating their integration with Claude Code and Gemini CLI.
Installation
mcpmEnvironment Variables
- API_KEY
- SECRET
Security Notes
CRITICAL: The `mcpm` tool allows arbitrary code execution from remote repositories during the installation and build process. Specifically, the `internal/builder/shell.go` `runShellCmd` function executes user-defined or inferred build commands (e.g., `npm install`, `python -m venv`, `go build`) using system shells (zsh, bash, sh) with `-l -c` or `-c` flags. If a malicious MCP server repository is installed via `mcpm install`, its `mcp.json` file can specify a `buildCmd` or a `.js`/`.py`/`.go` project can be crafted to execute arbitrary shell commands, leading to complete compromise of the user's system. Additionally, the `add` command constructs `claude mcp add` commands using user-provided inputs, which could be a vector for command injection if the `claude` CLI does not properly sanitize its arguments.
Similar Servers
claude-code-subagents-collection
Provides a command-line interface to browse, install, manage, and verify Claude Code subagents, commands, and external MCP (Model Context Protocol) servers, facilitating local and project-level configuration for development workflows.
mcpm.sh
This server provides a command-line interface to manage Model Context Protocol (MCP) servers, allowing users to discover, install, configure, run, share, and monitor them.
cli
The Smithery CLI installs, manages, develops, and runs Model Context Protocol (MCP) servers, acting as a client-agnostic tool for AI client integration.
mcp-use-cli
An interactive command-line interface (CLI) tool for connecting to and interacting with Model Context Protocol (MCP) servers using natural language, acting as an AI client that orchestrates LLM responses with external tools.