claude-vault
Verified Safeby weber8thomas
Overview
AI-assisted HashiCorp Vault management for secure secret handling and migration, especially for Docker services.
Installation
uvx mcp-vaultEnvironment Variables
- VAULT_ADDR
- VAULT_TOKEN
Security Notes
The server employs a strong 'defense-in-depth' security model. It tokenizes all sensitive secret values before they reach the AI, ensuring zero-knowledge. All write operations and even file scanning operations require WebAuthn biometric or hardware key approval (human-in-the-loop), significantly mitigating prompt injection risks. Robust input validation is implemented to prevent command injection and path traversal attacks. Vault tokens are session-based, short-lived, and stored only in memory. A comprehensive local audit log tracks all operations. The local approval server runs on localhost by default, with clear instructions for securing it with HTTPS/Nginx in production. The primary risks are the user's responsibility: explicitly warning not to commit locally generated plaintext .env files or the temporary pending-operations.json file, and the initial 'curl | sudo bash' installation method common in Bash CLIs.
Similar Servers
consult-llm-mcp
An MCP server that allows AI agents like Claude Code to consult stronger, more capable AI models (e.g., GPT-5.2, Gemini 3.0 Pro) for complex code analysis, debugging, and architectural advice.
vault-mcp-server
Provides a Model Context Protocol (MCP) server implementation to integrate HashiCorp Vault secrets management and PKI operations with LLM clients.
mcp-ssh-manager
Manages remote SSH servers via the Model Context Protocol (MCP), enabling AI assistants like Claude Code and OpenAI Codex to execute commands, transfer files, monitor health, and automate DevOps tasks.
obsidian-mcp-server
Enables AI assistants to interact with and manage an Obsidian markdown vault via the Model Context Protocol (MCP).