Shell MCP Server

Overview Schema Related Servers Score Discussions

run_command

Execute shell commands securely within a controlled Node.js environment using the Model Context Protocol, enabling safe and structured command execution for AI models like Claude.

Instructions

Run a shell command

Input Schema

TableJSON Schema

Name	Required	Description	Default
`command`	No

Implementation Reference

src/index.ts:104-139 (handler)

The CallToolRequestSchema handler that implements the 'run_command' tool. It extracts the command, validates its existence and safety, executes it using execa in shell mode, and returns stdout/stderr or error content.

this.server.setRequestHandler(CallToolRequestSchema, async (request) => {
  if (request.params.name !== 'run_command') {
    throw new Error(`Unknown tool: ${request.params.name}`);
  }

  const command = request.params.arguments?.command as string;
  try {
    const baseCommand = command.trim().split(/\s+/)[0];
    if (!(await commandExists(baseCommand))) {
      throw new Error(`Command not found: ${baseCommand}`);
    }

    if (!validateCommand(baseCommand)) {
      throw new Error(`Command not allowed: ${baseCommand}`);
    }

    const { stdout, stderr } = await execa(command, [], {
      shell: true,
      env: process.env,
    });

    return {
      content: [{ type: 'text', text: stdout || stderr, mimeType: 'text/plain' }],
    };
  } catch (error) {
    return {
      content: [
        {
          type: 'text',
          text: String(error),
          mimeType: 'text/plain',
        },
      ],
    };
  }
});

src/index.ts:94-99 (schema)
Input schema definition for the 'run_command' tool, specifying an object with a required 'command' string property.
```
inputSchema: {
  type: 'object',
  properties: {
    command: { type: 'string' },
  },
},
```

src/index.ts:89-102 (registration)

Registration of the 'run_command' tool via the ListToolsRequestSchema handler, including name, description, and input schema.

this.server.setRequestHandler(ListToolsRequestSchema, async () => ({
  tools: [
    {
      name: 'run_command',
      description: 'Run a shell command',
      inputSchema: {
        type: 'object',
        properties: {
          command: { type: 'string' },
        },
      },
    },
  ],
}));

src/index.ts:53-55 (helper)
Helper function used by the handler to check if a command's base name is blacklisted.
```
function validateCommand(baseCommand: string): boolean {
  return !BLACKLISTED_COMMANDS.has(baseCommand);
}
```

src/index.ts:16-50 (helper)

Set of blacklisted dangerous commands that the 'run_command' tool refuses to execute for security.

const BLACKLISTED_COMMANDS = new Set([
  // File System Destruction Commands
  'rm', // Remove files/directories - Could delete critical system or user files
  'rmdir', // Remove directories - Could delete important directories
  'del', // Windows delete command - Same risks as rm

  // Disk/Filesystem Commands
  'format', // Formats entire disks/partitions - Could destroy all data on drives
  'mkfs', // Make filesystem - Could reformat drives and destroy data
  'dd', // Direct disk access - Can overwrite raw disks, often called "disk destroyer"

  // Permission/Ownership Commands
  'chmod', // Change file permissions - Could make critical files accessible or inaccessible
  'chown', // Change file ownership - Could transfer ownership of sensitive files

  // Privilege Escalation Commands
  'sudo', // Superuser do - Allows running commands with elevated privileges
  'su', // Switch user - Could be used to gain unauthorized user access

  // Code Execution Commands
  'exec', // Execute commands - Could run arbitrary commands with shell's privileges
  'eval', // Evaluate strings as code - Could execute malicious code injection

  // System Communication Commands
  'write', // Write to other users' terminals - Could be used for harassment/phishing
  'wall', // Write to all users - Could be used for system-wide harassment

  // System Control Commands
  'shutdown', // Shut down the system - Denial of service
  'reboot', // Restart the system - Denial of service
  'init', // System initialization control - Could disrupt system state

  // Additional High-Risk Commands
  'mkfs', // Duplicate of above, filesystem creation - Data destruction risk
]);

Tool Definition Quality

C2.6/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

No annotations are provided, so the description carries full burden but only states the action without disclosing behavioral traits. It doesn't cover critical aspects like whether the command runs locally or remotely, if it requires elevated privileges, potential side effects (e.g., file modifications), error handling, or output format. This leaves significant uncertainty for safe and effective use.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is extremely concise with just three words, front-loaded and zero waste. It efficiently conveys the core action without unnecessary elaboration, making it easy to parse quickly. However, this conciseness comes at the cost of completeness, as noted in other dimensions.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity of running shell commands (which can be high-risk with mutations and side effects), no annotations, no output schema, and low parameter coverage, the description is incomplete. It lacks essential context such as execution environment, security implications, error responses, and usage scenarios, making it inadequate for safe agent operation.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters2/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 1 parameter with 0% description coverage, and the description adds no meaning beyond the schema. It doesn't explain what the 'command' parameter should contain (e.g., syntax, examples, allowed commands) or any constraints. Since schema coverage is low, the description fails to compensate, leaving the parameter poorly documented.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose3/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description 'Run a shell command' clearly states the action (run) and target (shell command), providing a basic understanding of purpose. However, it lacks specificity about what kind of shell command or execution environment, making it somewhat vague. Since there are no sibling tools, differentiation isn't required, but the description could be more detailed.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool, such as for administrative tasks, automation, or debugging. It doesn't mention prerequisites like permissions, security considerations, or alternatives, leaving the agent with no context for decision-making. With no sibling tools, this is less critical but still a gap.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

run_commandC

Related Tools

bash
@auchenberg/claude-code-mcp
npm_command
@block/vscode-mcp
execute_shell_command
@lin2000wl/Serena-cursor-mcp
run_command
@block/vscode-mcp
terminal_start
@nexon33/console-terminal-mcp-server
shell_echo
@kevinwatt/shell-mcp

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/hdresearch/mcp-shell'

If you have feedback or need assistance with the MCP directory API, please join our Discord server