terminal-agent
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@terminal-agentsearch for 'TODO' in my code"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
terminal-agent
Local daemon for the terminal MCP bridge. It connects outbound over a
WebSocket to wss://mcp.lishuyu.app/mcp/terminal/ws, receives tool calls
that originate in claude.ai (or chatgpt.com), runs them against the local
file system, and returns results — after sanitizing every byte so that
no token or credential can ever reach chat history.
claude.ai ──(MCP, OAuth)──▶ mcp.lishuyu.app/mcp/terminal
│ TerminalBridge DO
│ WebSocket (this agent dials in, PSK auth)
▼
terminal-agent ──▶ local files
│ ┌────────────────┐
│ │ secret filter │ ← every output, before it leaves
│ └────────────────┘The hard rule
Defense in depth, every layer on the machine, before any byte leaves:
Read containment —
read_file/search_files/list_directoryare confined toallowed_read_dirs(default~/Codes), checked after resolving symlinks. Files outside the allowlist (/etc,~/.config,~/.ssh, another project) are simply unreadable. This is the primary boundary.Path blocklist — within the allowed roots, credential files (
.env*,.ssh/**,*.pem,*.key,*secret*,*credential*,.aws/**,.kube/**,.pgpass, …) are still refused (case-insensitive, symlink-resolved). Always on, not user-disableable.sanitize()— content regexes forsk-…,ghp_…, JWTs, PEM blocks, 64+ hex,password: …, URL credentials, etc. + yoursecret_literals, applied to all tool output and error messages. Over-redaction (a git SHA gets[REDACTED]) is preferred to any leak.Write confinement — writes are confined to
allowed_write_dirs, realpath-checked, with symlinked leaves/dirs rejected.No shell + a tight read-only command whitelist (see below).
Related MCP server: MCP Workspace Server
Tools
Read-only (default mode):
tool | what |
| is a machine connected, and in which mode |
| ripgrep, |
| line-numbered; head+tail for big files; ≤200-line ranges |
| tree, excludes node_modules/.git/… |
| single read-only command, no shell (no pipes/redirection/substitution). Whitelist is metadata-only: git metadata subcommands (log/status/rev-parse/ls-files/…, with patch flags |
Read-write / bypass (opt-in via switch_mode):
tool | what |
| confined to |
| enter read-write/bypass; needs the 6-digit code printed in THIS terminal at startup |
run_command deliberately does not whitelist python -c / node -e /
perl -e: those are arbitrary code execution and would defeat read-only.
Opt in per-binary via extra_read_binaries, or use bypass mode, only if
you accept the risk. Even in bypass mode the agent runs shell-free and
rejects pipes/redirection/$()/backticks — for a real pipeline, use a real
terminal.
switch_mode is the anti-prompt-injection gate
The agent generates a random 6-digit code on startup. Entering read-write or bypass is a two-step gate:
Request — the cloud calls
switch_mode(mode)without a code. The agent fires a macOS notification (notify_on_switch: true) carrying the code to your Mac, and tells the cloud "ask the operator for the code."Confirm — you read the code off the notification and relay it; the cloud calls
switch_mode(mode, confirmation_code)to apply.
A prompt-injected assistant cannot see your Mac's notifications (or your
terminal), so it cannot self-escalate — you hand it the code only when you
want to enable writes. The code rotates on every restart. (Off macOS, or with
notify_on_switch: false, the code is read from the startup banner/log.)
Elevation is temporary. read-write/bypass auto-reverts to read-only after
elevation_timeout_ms (default 10 min; each switch resets the clock), and you
get a notification when it does. A forgotten elevation can't stay open — and a
launchd restart also resets to the configured mode: (read-only). Set
elevation_timeout_ms: 0 to keep it manual.
Setup
Requires Bun (recommended) or Node ≥ 20.
cd ~/Codes/terminal-agent
bun install
cp config.example.yaml config.yaml # edit machine/cwd/allowed_write_dirs
# The pre-shared token must equal the Worker's TERMINAL_TOKEN secret.
export TERMINAL_AGENT_TOKEN='…' # put in ~/.zshrc or the launchd plist
bun run src/index.tsOn a successful connect you'll see [ws] connected … registered. In
claude.ai, add the connector https://mcp.lishuyu.app/mcp/terminal, then
call terminal_status to confirm the machine is online.
config.yaml
See config.example.yaml. Key fields: server, token (${ENV} is
substituted), machine, mode, default_cwd, max_output_bytes,
command_timeout_ms, allowed_write_dirs, blocked_paths (extra globs,
added to the hard floor), secret_literals, extra_read_binaries.
Run at login (launchd)
Copy com.lishuyu.terminal-agent.plist.example to
~/Library/LaunchAgents/com.lishuyu.terminal-agent.plist, fill in the
absolute paths, your token, and the Bun binary path, then:
launchctl load ~/Library/LaunchAgents/com.lishuyu.terminal-agent.plist
launchctl start com.lishuyu.terminal-agent
# logs → the StandardOut/StandardError paths in the plistThe confirmation code is in the agent's StandardOut log; grep it there
when you need to switch_mode.
Tests
bun test # secret-filter + command-whitelist unit tests
bun run type-checkThis server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/StevenLi-phoenix/terminal-agent'
If you have feedback or need assistance with the MCP directory API, please join our Discord server