mcp-http-bridge
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-http-bridgebridge shell-0 tools over HTTP on port 8818"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-http-bridge
Serve a stdio MCP server over streamable HTTP.
WARNING: this bridge can turn local-only tools into network-reachable remote code execution.
Shell-level MCP servers like shell-0 ship tools (
terminal,python_exec,js_exec,fs) that run UNSANDBOXED, with your full user privileges. Put this bridge in front of one and enable those tools and anyone who can reach the port can run commands and read/write files on your machine. There is no undo.Rules of the road: keep the tool filter tight, stay bound to
127.0.0.1unless you truly mean otherwise, and never serve execution tools on0.0.0.0without authentication and TLS in front (a reverse proxy). The bridge validates theOriginheader (allowlist empty by default, so browser cross-origin requests are rejected) and can require a shared-secret header, but it does no TLS of its own. Its auto-generated default filter disables every execution/escape tool andfson purpose - leave it that way unless you know exactly what you are opening up.
Some MCP clients (llama.cpp's web UI, OpenWebUI, anything that speaks MCP over HTTP instead of spawning a stdio subprocess) want an HTTP endpoint. This bridge takes an MCP server that follows the ToolRegistry convention and re-serves its tools over MCP streamable HTTP at /mcp, gated by a per-tool allow/deny filter.
It was built to sit in front of shell-0, but works with any server that exposes a module-level _TOOL_REGISTRY (get_schemas(), get_dispatch_map(), keys()).
Security, in more detail
Binding to 0.0.0.0 exposes whatever the filter enables to anyone who can reach the port. For a server like shell-0 that means:
enabling
terminal,python_exec, orjs_execover HTTP = remote code execution for the whole network.enabling
fs= arbitrary read/write of your filesystem, which is itself RCE-equivalent (write a shell rc, a startup script, a git hook).
Even bound to 127.0.0.1 you are not automatically safe: a web page in any browser tab can fetch() a loopback port - the DNS-rebinding / CSRF class the MCP spec says local servers must defend against. So the bridge validates the Origin header against MCP_ALLOWED_ORIGINS (empty by default, so every cross-origin browser request is rejected; non-browser MCP clients send no Origin and are unaffected) and can require a shared secret via MCP_BRIDGE_TOKEN. Its default tool filter also disables every execution/escape tool and fs. Beyond that: keep the filter tight, stay on 127.0.0.1 unless you genuinely mean to expose it, and put TLS + auth in front (a reverse proxy) before exposing anything powerful. The bridge does no TLS of its own.
Related MCP server: MCP HTTP Proxy
How it works
On startup the bridge imports your target server module, reads its _TOOL_REGISTRY, and stands up its own MCP server whose list_tools/call_tool handlers apply the filter and then dispatch into the target's registry. If the target exposes _truncate_output / _sanitize_surrogates (shell-0 does), those are reused so HTTP responses get the same output hygiene as stdio. Transport is the official StreamableHTTPSessionManager behind Starlette + uvicorn.
Rebuilding the server (instead of just wrapping the target's) is deliberate: it lets the bridge enforce the filter even when the underlying server does not, so a stdio server that exposes everything locally can still be served selectively over HTTP.
Install
Requires Python 3.10+.
Install as a package to get an mcp-http-bridge command on your PATH:
pipx install git+https://github.com/cutlerbenjamin1-cmd/mcp-http-bridgeFrom a local checkout: pip install . Or just install the dependencies and run bridge.py directly:
pip install -r requirements.txtRun it in front of shell-0
Clone shell-0 next to wherever you like, then run the bridge from inside the shell-0 directory so import server resolves:
cd /path/to/shell-0
mcp-http-bridge # or: python /path/to/mcp-http-bridge/bridge.pyPoint your HTTP MCP client at:
http://127.0.0.1:8818/mcpOn first run the bridge writes an http_tools.json next to you with a safe default (execution tools and fs off, everything else on). Edit it to choose what is reachable over HTTP, then restart. See http_tools.example.json for the shape. To let a browser client in, set MCP_ALLOWED_ORIGINS to its origin; for a shared secret, set MCP_BRIDGE_TOKEN and send it as X-MCP-Token (or Authorization: Bearer).
To expose on the LAN (read the security note again first):
set MCP_HOST=0.0.0.0
mcp-http-bridge # or: python /path/to/mcp-http-bridge/bridge.pyConfiguration
Environment variables:
MCP_SERVER_MODULE- module to import for the registry (default:server).MCP_HOST- bind address (default:127.0.0.1;0.0.0.0for LAN).MCP_PORT- port (default:8818).HTTP_TOOLS_CONFIG- path to the tool filter json (default:./http_tools.json).MCP_DEBUG-truefor stderr debug logging.
The filter file is {"tool_name": 1 | 0}. Missing tools are treated as disabled.
License
MIT. See LICENSE.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cutlerbenjamin1-cmd/mcp-http-bridge'
If you have feedback or need assistance with the MCP directory API, please join our Discord server