Automox MCP Server

The official MCP server for Automox. Talk to your Automox console using natural language — this MCP server connects AI assistants like Claude to your Automox environment so you can manage devices, check compliance, run policies, and more, just by asking.

You:   "Are we ready for Patch Tuesday?"
Claude: Here's your readiness summary — 3 devices need patches,
        2 approvals are pending, and your patch policies run tonight at 2 AM...

Quick Start

1. Get your Automox credentials

You need three values from the Automox Console:

Both global and org-scoped API keys work. API Key and Account UUID are always required. Org ID is recommended but optional — some tools that don't require org context will work without it.

2. Create a .env file

AUTOMOX_API_KEY=your-api-key
AUTOMOX_ACCOUNT_UUID=your-account-uuid
AUTOMOX_ORG_ID=your-org-id

3. Connect to your AI assistant

Claude Desktop (recommended) — one-click MCPB install:

1. Download the latest automox-mcp-<version>.mcpb from the GitHub Releases page.

2. Open Claude Desktop → Settings → Extensions.

3. Drag the .mcpb file into the Extensions window.

4. Paste your API key, Account UUID, and (optionally) Org ID into the prompts.

No .env file, no terminal — credentials are stored in Claude Desktop's secure config. The bundle pulls the matching automox-mcp release from PyPI on first run.

Claude Code (CLI):

claude mcp add automox-mcp uvx -- --env-file /path/to/.env automox-mcp

Cursor / any other MCP client — add to your MCP config:

{
  "mcpServers": {
    "automox-mcp": {
      "command": "uvx",
      "args": ["--env-file", "/path/to/.env", "automox-mcp"]
    }
  }
}

That's it. Start asking questions.

What Can I Ask?

The server exposes 133 tools across devices, policies, patches, groups, webhooks, worklets, vulnerability sync, maintenance windows, and more. You don't need to know the tool names — just describe what you want:

For the full list of tools, parameters, and MCP resources, see the Tool Reference.

Tip: You can also ask the server itself — the discover_capabilities tool returns all available tools organized by domain.

Configuration

Environment Variables

Read-Only Mode

AUTOMOX_MCP_READ_ONLY=true

Disables all write operations. Only read-only tools are registered (85 of 133). Useful for auditing and monitoring.

Modular Loading

Load only the tool modules you need:

AUTOMOX_MCP_MODULES=devices,policies

Available modules: audit, audit_v2, devices, device_search, policies, policy_history, users, groups, events, reports, packages, webhooks, worklets, data_extracts, vuln_sync, compound, policy_windows

Both settings can be combined:

AUTOMOX_MCP_READ_ONLY=true
AUTOMOX_MCP_MODULES=devices,policies

HTTP Transport

For non-stdio deployments:

uvx --env-file .env automox-mcp --transport http --host 127.0.0.1 --port 8000

Endpoint Authentication

When deploying over HTTP or SSE, you can require authentication on the MCP endpoint (separate from the Automox API key). Two strategies are supported:

Static API keys (simple):

automox-mcp --generate-key                         # generate a key
export AUTOMOX_MCP_API_KEYS="amx_mcp_a1b2c3..."    # or use a key file

OAuth 2.1 / JWT (enterprise IdP integration):

export AUTOMOX_MCP_OAUTH_ISSUER="https://auth.example.com/realms/main"
export AUTOMOX_MCP_OAUTH_AUDIENCE="https://mcp.example.com"
export AUTOMOX_MCP_OAUTH_SERVER_URL="https://mcp.example.com"  # enables RFC 9728 metadata

Clients must include Authorization: Bearer <token> on every request. Unauthenticated requests receive 401 Unauthorized with proper WWW-Authenticate headers. No effect on stdio transport.

Security

The Automox MCP server is designed for enterprise deployment with defense-in-depth security controls.

Highlights:

• Read-only mode (AUTOMOX_MCP_READ_ONLY) disables all 48 write tools

• Module filtering (AUTOMOX_MCP_MODULES) for least-privilege tool loading

• Correlation IDs on every tool call, forwarded to Automox API as X-Correlation-ID

• Rate limiting (30 calls/60s) with token budget estimation and auto-truncation

• API key isolation — stored as private attribute with per-request auth injection (no header storage)

• Generic error responses — no internal paths, connection strings, or API keys in error output

• Prompt injection mitigation — API response sanitization with Unicode normalization, homoglyph defense, HTML tag/script stripping, and reference-style markdown stripping

• Webhook secret handling — secrets stripped from idempotency cache after creation

• Structured JSON logging (AUTOMOX_MCP_LOG_FORMAT=json) for SIEM integration

• Tool name prefixing (AUTOMOX_MCP_TOOL_PREFIX) to prevent cross-server collisions

• Sigstore-signed releases with CycloneDX SBOM

• SSRF prevention — webhook URLs validated against private/loopback IPs and cloud metadata endpoints

• MCP endpoint authentication — static API keys or OAuth 2.1/JWT with audience binding and RFC 9728 Protected Resource Metadata

• DNS rebinding protection — Origin and Host header validation on all HTTP/SSE connections per the MCP transport spec

• Security response headers — X-Content-Type-Options, X-Frame-Options, CSP, Cache-Control: no-store, Strict-Transport-Security on all HTTP responses

• Authentication rate limiting — blocks IPs after repeated auth failures to mitigate brute-force attacks

• Remote bind protection — non-loopback HTTP/SSE binding requires explicit --allow-remote-bind opt-in

• MCP Tool Annotations on all 133 tools — readOnlyHint, destructiveHint, idempotentHint, and openWorldHint per the MCP Protocol specification, enabling client-side confirmation dialogs and safety guardrails

• 60 security hardening items (V-001 through V-181, S-001 through S-006) documented in CHANGELOG and SECURITY.md

Capability model. The server wraps 100% of the published Automox Console API and Webhooks API, with a single deliberate exception — secret-exposing endpoints are never wrapped (API-key decrypt, password-setting). Every destructive operation is either ask-first (host confirmation) or gated behind a default-off env flag. Concretely, three categorical rules:

• Secrets are never handled — the server never returns secret material and never lets the model set it. Credentials enter only via environment/config; decrypt endpoints are not wrapped, password-setting is excluded, and secret fields are redacted from every projection. This is the only intentional omission.

• Destructive operations are two-tier. Single-target, recoverable actions are ask-first (destructiveHint: true, surfaced as a host confirmation dialog, disabled entirely by read-only mode). Operations where per-call confirmation can't protect you — fleet-scale, self-lockout, or arbitrary model-authored code execution — are gated behind explicit, default-off env flags (AUTOMOX_MCP_ALLOW_APPLY_REMEDIATION_ACTIONS, AUTOMOX_MCP_ALLOW_SPLASHTOP_BULK_INSTALL_UNINSTALL, AUTOMOX_MCP_ALLOW_DELETE_DEVICE). Device deletion is gated, not omitted.

The full coverage map, the gating principle, and every intentional omission are documented in API Coverage & Intentional Omissions.

For vulnerability reporting and the full threat model, see SECURITY.md. For deployment hardening (containers, Kubernetes, MCP gateways, TLS, authentication), see the Deployment Security Guide. Security posture is benchmarked against the Wiz MCP Security Best Practices cheat sheet.

Note: For network-accessible deployments, enable endpoint authentication (static keys via AUTOMOX_MCP_API_KEYS or JWT via AUTOMOX_MCP_OAUTH_ISSUER) and/or place the server behind an MCP gateway or authenticating reverse proxy. TLS termination is the deployer's responsibility.

Privacy Policy

The Automox MCP server acts as a stateless proxy between your AI assistant and the Automox API.

Data collection: The server does not collect, store, or transmit any user data beyond what is required to fulfill API requests to the Automox platform. API credentials are read from environment variables at startup and used solely for authenticating requests to the Automox API.

Data usage: All data retrieved from the Automox API is returned directly to the AI assistant that initiated the request. The server performs response sanitization (Unicode normalization, HTML stripping) for prompt injection defense, but does not analyze, aggregate, or repurpose API data for any other purpose.

Third-party sharing: The server does not share data with any third parties. It communicates exclusively with the Automox API (console.automox.com) using the credentials you provide. No telemetry, analytics, or usage data is sent to the server authors or any other service.

Data retention: The server retains no persistent data between sessions. In-memory caches (idempotency keys, rate-limit counters) are cleared when the process exits. Structured logs, when enabled, are written to stderr and are the deployer's responsibility to manage and retain.

See PRIVACY.md for the full privacy policy.

Alternative Installation

The Quick Start above uses uvx which requires no installation. If you prefer a persistent install:

# Using uv
uv tool install automox-mcp

# Using pip
pip install automox-mcp

Then set the environment variables in your shell and run automox-mcp.

Updating

If you already have the server installed, update to the latest version:

# uvx (Quick Start method) — force a cache refresh
uvx --refresh automox-mcp

# uv tool install
uv tool upgrade automox-mcp

# pip
pip install --upgrade automox-mcp

Note: uvx automatically refreshes its cache roughly every 7 days, so most users will pick up new releases without action. Run uvx --refresh to get the latest immediately.

Contributing

git clone https://github.com/AutomoxCommunity/automox-mcp.git
cd automox-mcp
uv python install
uv sync --python 3.13 --dev

Testing

Interactive debugging with MCP Inspector:

fastmcp dev

Run unit tests:

uv run --python 3.13 --dev pytest

Run production smoke tests (requires Automox credentials):

uv run python tests/smoke_production.py

MCP Scanner

Static analysis with Cisco's MCP Scanner:

mcp-scanner \
  --analyzers yara \
  --format summary \
  stdio \
  --stdio-command uv \
  --stdio-arg run \
  --stdio-arg automox-mcp \
  --stdio-env AUTOMOX_API_KEY=test-api-key \
  --stdio-env AUTOMOX_ACCOUNT_UUID=test-account \
  --stdio-env AUTOMOX_ORG_ID=1 \
  --stdio-env AUTOMOX_MCP_SKIP_DOTENV=1

Versioning

Follows Semantic Versioning. Update pyproject.toml, commit, tag (e.g., v0.1.0), and push — the release workflow publishes to PyPI automatically.

License

MIT License. See LICENSE.

Support

The official Automox MCP server. Due to the fast moving nature of this project, support is provided via GitHub issues and the Automox Community Slack. Please use those avenues for questions, bugs, or feature requests.

To report a security vulnerability, see SECURITY.md — please do not open a public issue.