{"id":37887792,"url":"https://github.com/nonameb3/safe-commander-mcp","last_synced_at":"2026-01-16T16:53:45.444Z","repository":{"id":295869271,"uuid":"991538337","full_name":"nonameb3/safe-commander-mcp","owner":"nonameb3","description":"A secure MCP server for executing whitelisted development commands with comprehensive security controls. ","archived":false,"fork":false,"pushed_at":"2025-05-29T15:52:36.000Z","size":299,"stargazers_count":0,"open_issues_count":2,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-17T13:49:31.861Z","etag":null,"topics":["ai-tools","claude","command-execution","development-tools","mcp","model-context-protocol","nodejs","safe-execution","security","typescript"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/safe-commander-mcp","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nonameb3.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-27T19:25:01.000Z","updated_at":"2025-05-31T14:03:24.000Z","dependencies_parsed_at":"2025-05-27T19:52:21.780Z","dependency_job_id":"af446f8e-6146-4227-a6bd-5c4ad4648627","html_url":"https://github.com/nonameb3/safe-commander-mcp","commit_stats":null,"previous_names":["nonameb3/safe-commander-mcp"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/nonameb3/safe-commander-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nonameb3%2Fsafe-commander-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nonameb3%2Fsafe-commander-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nonameb3%2Fsafe-commander-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nonameb3%2Fsafe-commander-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nonameb3","download_url":"https://codeload.github.com/nonameb3/safe-commander-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nonameb3%2Fsafe-commander-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28480081,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-tools","claude","command-execution","development-tools","mcp","model-context-protocol","nodejs","safe-execution","security","typescript"],"created_at":"2026-01-16T16:53:45.361Z","updated_at":"2026-01-16T16:53:45.425Z","avatar_url":"https://github.com/nonameb3.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Safe Commander MCP\n\n[![npm version](https://badge.fury.io/js/safe-commander-mcp.svg)](https://badge.fury.io/js/safe-commander-mcp)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![TypeScript](https://img.shields.io/badge/TypeScript-5.8+-blue.svg)](https://www.typescriptlang.org/)\n\nA secure MCP (Model Context Protocol) server for executing whitelisted development commands with comprehensive security controls and resource limits. Features revolutionary **intelligent command discovery** that transforms AI assistance from \"trial and error\" to proactive, categorized command suggestions. Perfect for AI assistants that need safe command execution capabilities.\n\n## Features\n\n🧠 **Intelligent Command Discovery**\n- Revolutionary `list_available_commands` tool for proactive assistance\n- Command categorization by type (package management, version control, file operations, etc.)\n- Comprehensive command descriptions and real-time configuration reporting\n- Transform from \"trial and error\" to intelligent command workflows\n\n🔒 **Security First**\n- Command whitelisting with configurable allowed commands\n- Path traversal prevention and directory restrictions  \n- Command injection protection with character sanitization\n- Resource limits (timeout, output size, concurrent commands)\n- Startup validation to catch configuration issues early\n\n⚡ **Performance \u0026 Monitoring**\n- Execution time tracking and detailed logging\n- Rate limiting with command cooldowns (1-second minimum between same commands)\n- Concurrent command management (configurable limit)\n- Graceful shutdown handling with cleanup\n\n🛠️ **Developer Friendly**\n- TypeScript implementation with full type safety\n- Comprehensive error messages and debugging logs\n- Environment-based configuration\n- Production-ready logging to stderr (MCP-compliant)\n\n## Quick Start (No Installation Required!)\n\n**🚀 You can use Safe Commander MCP without installing it globally on your machine!**\n\n**🛡️ Security-First Approach**: By default, only safe read-only commands are allowed to protect your codebase and data from unauthorized access.\n\nJust add this configuration to your MCP client and you're ready to go:\n\n```json\n{\n  \"mcpServers\": {\n    \"safe-commander\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"safe-commander-mcp\"],\n      \"env\": {\n        \"ALLOWED_PATH\": \"/path/to/your/project\",\n        \"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo\"\n      }\n    }\n  }\n}\n```\n\n**⚠️ CRITICAL SECURITY WARNING**:\n- **The primary risk is the LLM itself** - it may attempt to access sensitive files or execute dangerous commands\n- **Your codebase and data protection** is the main security concern - commands can read private files, source code, environment variables, etc.\n- **Only add commands you fully understand** - each additional command expands what the LLM can access\n- **You are responsible** for understanding the implications of every command you allow\n\nThat's it! The `npx -y` command will automatically download and run the latest version when needed.\n\n## Configuration\n\n### Required Environment Variables\n\n| Variable | Required | Example | Description |\n|----------|----------|---------|-------------|\n| `ALLOWED_PATH` | ✅ **Yes** | `/Users/yourname/projects/my-app` | Directory where commands can be executed (use absolute path) |\n| `ALLOWED_COMMANDS` | No | `ls,cat,pwd,echo` | Comma-separated list of allowed commands |\n\n### Claude Desktop Setup\n\n**Step 1:** Open your Claude Desktop config file:\n- **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`\n- **Windows**: `%APPDATA%/Claude/claude_desktop_config.json`\n\n**Step 2:** Add the Safe Commander MCP configuration:\n\n```json\n{\n  \"mcpServers\": {\n    \"safe-commander\": {\n      \"command\": \"npx\",\n      \"args\": [\"-y\", \"safe-commander-mcp\"],\n      \"env\": {\n        \"ALLOWED_PATH\": \"/Users/yourname/projects/my-project\",\n        \"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo\"\n      }\n    }\n  }\n}\n```\n\n**Step 3:** Replace `/Users/yourname/projects/my-project` with your actual project path.\n\n**Step 4:** Restart Claude Desktop.\n\n**Step 5:** Test by asking: *\"What commands are available?\"*\n\n**🔒 Important**: The default commands (`ls,cat,pwd,echo`) are read-only and safe. To add more powerful commands like `npm`, `git`, or `python`, carefully consider the security implications - they may allow the LLM to read sensitive data, modify files, or execute arbitrary code.\n\n### Other MCP Clients\n\nFor other MCP clients, use the same configuration format. The key points:\n- **Command**: `npx`\n- **Args**: `[\"-y\", \"safe-commander-mcp\"]`\n- **Environment**: Set `ALLOWED_PATH` and optionally `ALLOWED_COMMANDS`\n\n## Real-World Examples\n\n**⚠️ Security First**: All examples below add commands beyond the safe defaults. Each additional command increases LLM capabilities but also increases the risk of data exposure or unauthorized actions.\n\n### For Web Development\n```json\n\"ALLOWED_PATH\": \"/Users/yourname/projects/my-web-app\"\n\"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo,npm,git\"\n```\n**Risk**: `npm` can install packages and run scripts. `git` can access repository history including commit messages, author information, file changes, and branch data.\n\n### For Python Development\n```json\n\"ALLOWED_PATH\": \"/Users/yourname/projects/my-python-app\"\n\"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo,python,pip,git\"\n```\n**Risk**: `python` can execute arbitrary code and access any file. `pip` can install packages.\n\n**⚠️ Security Note**: `ALLOWED_COMMANDS` can be customized to include any commands you need, but **carefully review each command** before adding it. More powerful commands enable more capable LLM assistance, but also introduce greater security risks. **The LLM is the primary threat** - it may attempt to read sensitive files, access credentials, or execute unauthorized operations.\n\n### For Full-Stack Development\n```json\n\"ALLOWED_PATH\": \"/Users/yourname/projects\"\n\"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo,npm,git,python,docker\"\n```\n**Risk**: This configuration allows significant system access. `docker` can access containers and potentially the entire system.\n\n**🔒 Security Reminder**: This example includes powerful commands that can access sensitive data, modify your system, or execute arbitrary code. Only use if you fully trust the LLM and understand the implications.\n\nUse these environment variable values in the main MCP configuration shown in the [Claude Desktop Setup](#claude-desktop-setup) section above.\n\n## Alternative Installation Methods\n\n### If You Prefer Global Installation\n\nIf you want to install globally first (optional):\n\n```bash\nnpm install -g safe-commander-mcp\n```\n\nThen use `\"command\": \"safe-commander-mcp\"` instead of the npx approach in your MCP configuration.\n\n### For Development/Contributing\n\nIf you want to contribute to Safe Commander MCP or develop new features:\n\n```bash\n# Clone the repository\ngit clone https://github.com/nonameb3/safe-commander-mcp.git\ncd safe-commander-mcp\n\n# Install dependencies\nnpm install\n\n# Build the project\nnpm run build\n\n# Run in development mode (with file watching)\nnpm run dev\n\n# Run tests\nnpm test\n\n# Check TypeScript types\nnpm run lint\n```\n\nThis setup allows you to modify the source code and test changes locally before contributing back to the project.\n\n## Usage Examples\n\n### Intelligent Command Discovery (NEW!)\n\nClaude can now proactively discover and suggest commands without guessing:\n\n```\n\"What commands are available in this project?\"\n\"Show me the available package management commands\"\n\"List all development tools I can use here\"\n\"What are my options for version control operations?\"\n```\n\nThe `list_available_commands` tool provides:\n- **Command Categories**: Organized by type (package management, version control, file operations, etc.)\n- **Detailed Descriptions**: Explanation of what each command does\n- **Configuration Info**: Current working directory, resource limits, and timeouts\n- **Usage Statistics**: Command counts and category summaries\n\n### Basic Command Execution\n\nOnce configured, you can ask your AI assistant to run commands:\n\n```\n\"Run npm install in the project directory\"\n\"Show me the git status\"\n\"List the files in the current directory\"\n\"Run the build script with npm run build\"\n```\n\n### Safe Commands\n\nThe following commands are included by default for security:\n- `ls` - Directory listing (read-only)\n- `cat` - File content reading (read-only) \n- `pwd` - Current directory (read-only)\n- `echo` - Display text (safe output)\n\n**Additional commands you might add (understand the risks first):**\n- `git` - Version control operations (can access repository history including commit messages, author information, file changes, and branch data)\n- `npm` - Package management (can install packages and run scripts)\n- `python` - Script execution (can execute arbitrary code and access any file)\n- `node` - JavaScript execution (can bypass all security protections)\n\n**🚨 LLM Risk Warning**: Remember that the LLM itself is the primary security concern. Even with \"safe\" commands, an LLM could potentially:\n- Use `cat` to read sensitive files like `.env`, `config.json`, private keys\n- Use `ls` to discover the structure of your private codebase\n- Combine multiple commands to extract sensitive information\n\nAlways ensure your `ALLOWED_PATH` points to a directory that doesn't contain sensitive data you wouldn't want the LLM to access.\n\n### Custom Command Configuration\n\nYou can customize allowed commands for your specific needs, but always review each command carefully:\n\n```json\n{\n  \"env\": {\n    \"ALLOWED_PATH\": \"/path/to/project\",\n    \"ALLOWED_COMMANDS\": \"ls,cat,pwd,echo,npm,git\"\n  }\n}\n```\n\n**🛡️ Security Guidelines for Command Selection:**\n- **Start with defaults**: Begin with the secure defaults (`ls,cat,pwd,echo`)\n- **Add incrementally**: Add new commands only when required for specific tasks\n- **Understand LLM risks**: The LLM is the primary threat - it may try to access sensitive data\n- **Review regularly**: Periodically audit your command list and remove unused commands\n- **Principle of least privilege**: Only grant the minimum access needed\n- **Data protection focus**: Consider what sensitive data the LLM could access with each command\n\n**Common command categories and their risk levels:**\n- **Minimal risk**: `ls`, `cat`, `pwd`, `echo` - Read-only file operations (but can still expose sensitive file contents)\n- **Medium risk**: `git` - Version control with access to repository history including commit messages, author information, file changes, and branch data\n- **High risk**: `npm`, `pip` - Package managers that can install software and run scripts\n- **CRITICAL RISK**: `node`, `python`, `bash`, `sh` - **CAN BYPASS ALL SECURITY** and execute arbitrary system commands\n\n## Security Features\n\n### 🎯 **Primary Security Goal: Protect Your Data from LLMs and Third Parties**\n\nSafe Commander MCP is designed to prevent unauthorized access to your sensitive codebase, files, and data. **The main threat is the LLM itself** - it may attempt to:\n- Read sensitive files (credentials, private keys, source code)\n- Access confidential business data\n- Execute unauthorized operations\n- Exfiltrate data to third parties\n\n### ⚠️ Critical Security Considerations\n\n**IMPORTANT: Command Execution Bypass Vulnerabilities**\n\nSome commands can bypass the whitelist protection by executing other commands internally:\n\n- **`node`**: Can execute ANY system command via `child_process` module\n  ```bash\n  # This bypasses all protections:\n  node -e 'require(\"child_process\").execSync(\"rm -rf /important/data\")'\n  ```\n- **`python`**: Can execute system commands via `os.system()` or `subprocess`\n- **`bash`/`sh`**: Direct shell access bypasses all protections\n- **`npm`**: Can run scripts that execute arbitrary commands\n\n**Recommendation**: Only include `node` or `python` if you fully trust the LLM and understand the risks. For maximum security, use only read-only commands like `ls`, `cat`, `pwd`.\n\n### Command Validation\n- **Whitelist-only**: Only pre-approved commands can be executed\n- **Character sanitization**: Dangerous characters (`; \u0026 | \\` $ ( ) { } [ ] \u003c \u003e`) are blocked\n- **Path validation**: Prevents directory traversal attacks\n- **Length limits**: Commands are limited to 1000 characters\n\n**Note**: Character sanitization provides limited protection against commands that have built-in execution capabilities like `node` or `python`.\n\n### Resource Limits\n- **Execution timeout**: 30 seconds maximum per command\n- **Output size limit**: 1MB maximum output\n- **Concurrent commands**: Maximum 3 simultaneous executions\n- **Rate limiting**: 1-second cooldown between identical commands\n\n### Directory Restrictions\nAll commands are executed within the configured `ALLOWED_PATH` directory, preventing access to sensitive system areas.\n\n## 🔍 Quick Security Check\n\nBefore adding any command to your whitelist, ask yourself:\n- Can this command read files I don't want the LLM to see?\n- Can this command execute other commands or scripts? \n- What's the worst thing that could happen if the LLM runs this command?\n- Do I trust the LLM with this level of access to my system?\n\n**Remember**: The LLM is curious and will explore. Only grant access to what you're comfortable with it discovering.\n\n## API Reference\n\n### Available Tools\n\n#### `list_available_commands` (NEW!)\n\nDiscover available commands with intelligent categorization and descriptions.\n\n**Parameters:**\n- None required\n\n**Response:**\n- **Working Directory**: Current `ALLOWED_PATH` configuration\n- **Command Categories**: Commands organized by type (package management, version control, file operations, etc.)\n- **Command Descriptions**: Detailed explanation of each command's purpose\n- **Configuration**: Resource limits, timeouts, and system settings\n- **Statistics**: Command counts and category summaries\n\n**Example:**\n```json\n{\n  \"name\": \"list_available_commands\",\n  \"arguments\": {}\n}\n```\n\n**Sample Response:**\n```json\n{\n  \"workingDirectory\": \"/path/to/project\",\n  \"totalCommands\": 6,\n  \"categories\": {\n    \"packageManagement\": [\"npm\"],\n    \"versionControl\": [\"git\"],\n    \"fileOperations\": [\"ls\", \"cat\", \"pwd\"],\n    \"runtime\": [\"node\"]\n  },\n  \"commandDescriptions\": {\n    \"npm\": \"Node.js package manager - install, update, and manage dependencies\",\n    \"git\": \"Version control system - track changes and collaborate on code\"\n  },\n  \"configuration\": {\n    \"maxCommandLength\": 1000,\n    \"commandTimeout\": \"30000ms\",\n    \"maxConcurrentCommands\": 3\n  }\n}\n```\n\n#### `run_command`\n\nExecutes a whitelisted command in the configured directory.\n\n**Parameters:**\n- `command` (string, required): The command to execute\n\n**Response:**\n- Execution output (stdout/stderr)\n- Execution time\n- Error details (if applicable)\n\n**Example:**\n```json\n{\n  \"name\": \"run_command\",\n  \"arguments\": {\n    \"command\": \"npm run build\"\n  }\n}\n```\n\n## Development\n\n### Prerequisites\n- Node.js 18+\n- TypeScript 5.8+\n- Yarn or npm\n\n### Setup\n\n```bash\ngit clone https://github.com/nonameb3/safe-commander-mcp.git\ncd safe-commander-mcp\nyarn install\n```\n\n### Development Scripts\n\n```bash\n# Run in development mode\nyarn dev\n\n# Build for production\nyarn build\n\n# Run built version\nyarn start\n\n# Type checking\nnpx tsc --noEmit\n\n# Run with MCP inspector for debugging\nyarn start:mcp\n```\n\n### Testing Configuration\n\nFor testing, use a safe directory:\n\n```bash\nexport ALLOWED_PATH=\"/tmp/safe-test-dir\"\nexport ALLOWED_COMMANDS=\"ls,cat,pwd,echo\"\nyarn dev\n```\n\n## Troubleshooting\n\n### Common Issues\n\n**Error: \"ALLOWED_PATH directory does not exist\"**\n- Ensure the path exists and is accessible\n- Use absolute paths for reliability\n\n**Error: \"Command contains potentially dangerous characters\"**\n- The command contains blocked characters for security\n- Review the command for injection attempts\n\n**Error: \"Command not in allowed list\"**\n- Add the command to `ALLOWED_COMMANDS` environment variable\n- Ensure proper comma separation in the list\n- Use `list_available_commands` tool to see what's available (v1.1.0+)\n\n**JSON parsing errors in MCP client**\n- Ensure no `console.log()` usage (outputs to stdout)\n- All logging goes to stderr via the `log()` function\n\n### New Features (v1.1.0+)\n\n**Command Discovery**: Use the `list_available_commands` tool to:\n- See all available commands organized by category\n- Get detailed descriptions of what each command does\n- View current configuration and resource limits\n- Understand the working directory and security settings\n\nThis eliminates guesswork and enables Claude to provide more intelligent assistance.\n\n## Contributing\n\nWe welcome contributions! Please see our [Contributing Guidelines](CONTRIBUTING.md) for details.\n\n### Reporting Issues\n\nPlease use the [GitHub Issues](https://github.com/nonameb3/safe-commander-mcp/issues) page to report bugs or request features.\n\n### Pull Requests\n\n1. Fork the repository\n2. Create a feature branch (`git checkout -b feature/amazing-feature`)\n3. Commit your changes (`git commit -m 'Add amazing feature'`)\n4. Push to the branch (`git push origin feature/amazing-feature`)\n5. Open a Pull Request\n\n## Security\n\nThis project prioritizes security. If you discover a security vulnerability, please send an email to roonnapai.dev@gmail.com instead of using the issue tracker.\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## Changelog\n\nSee [CHANGELOG.md](CHANGELOG.md) for version history and updates.\n\n## Acknowledgments\n\n- Built with [Model Context Protocol SDK](https://github.com/modelcontextprotocol/sdk)\n- Inspired by the need for secure AI-driven development tools\n- Thanks to the open-source community for continuous feedback and improvements\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnonameb3%2Fsafe-commander-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnonameb3%2Fsafe-commander-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnonameb3%2Fsafe-commander-mcp/lists"}