Clash Control MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Clash Control MCPlist my proxy groups"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Clash Control MCP
A MCP Server that lets AI agents safely read, audit, and manage Clash Verge Rev / Mihomo configuration. v1.0.0-rc.1 — authenticated Clash Verge Adapter writes, recovery inspection, and evidence-driven optimization helpers.
What This Does
Clash Control MCP exposes Clash Verge Rev's configuration and Mihomo's runtime state to AI agents (Codex, ZCode, Claude Code) through the Model Context Protocol. Agents can:
Detect Clash Verge Rev installation, version, and config paths
Read Mihomo runtime status (version, mode, ports, connections, traffic)
List and inspect proxy groups, profiles, and providers
Audit configuration for issues
Discover Verge settings and their storage locations
The original v0.1 tools remain read-only. v0.2-A adds two runtime-only operations: allowlisted delay testing and confirmed proxy selection with verification and rollback. It does not modify persistent configuration, DNS, TUN, or system proxy settings.
Related MCP server: Files MCP Server
Core MCP Setup from Source
git clone https://github.com/huaqing0/clash-control-mcp.git
cd clash-control-mcp
npm install
npm run build
npm run setup -- --allThis legacy core-only setup keeps the official Clash Verge App unchanged. It detects the local controller, backs up the selected client configurations, and installs the MCP server into Codex and ZCode. The controller secret is never printed, but it must be stored in each selected client's private MCP config.
Install only one client:
npm run setup -- --codex
npm run setup -- --zcodeThe supported Adapter installer below configures TRAE's detected global MCP
file; it never creates a project-local .trae/mcp.json. Use that path for
Codex, ZCode, or TRAE when testing Profile refresh/activation.
Restart the configured client, then ask it to call clash.capabilities.
Uninstall the managed entries:
npm run setup -- --all --uninstallUpgrade a source installation by pulling the new code and running the same setup command again. The managed entry is replaced rather than duplicated:
git pull
npm install
npm run setup -- --allThe installer creates timestamped backups beside the Codex and ZCode config
files and keeps the resulting files at mode 0600. Because stdio MCP clients
must pass the controller secret to the server, the secret is stored in the
client's local configuration; never publish or share those files.
If auto-detection is unavailable, provide the values only for the setup process:
CLASH_CONTROLLER_URL=http://127.0.0.1:9097 \
CLASH_CONTROLLER_SECRET='your-secret' \
npm run setup -- --allClash Verge Adapter Lifecycle
Profile refresh, activation, and future Verge-memory synchronization require the companion Adapter App. From a source checkout, use the single lifecycle entrypoint (Node.js 20.19.0 or newer):
npm ci
npm run build
npm exec -- clash-control-adapter --help
npm exec -- clash-control-adapter install --helpIt provides install, upgrade, verify, uninstall, patch-install,
patch-verify, and patch-uninstall. Full installation
requires a separately built and validated Adapter .app; it does not download
or silently replace Clash Verge. See ADAPTER-INSTALLATION.md
for the dry-run-first workflow, supported global client paths, recovery model,
and recovery rules. Users of the version-pinned Apple Silicon unsigned patch
should follow ADAPTER-PATCH-INSTALLATION.md.
The GPL-3.0 Adapter source is maintained separately at
huaqing0/clash-verge-adapter.
Build Only
npm install
npm run buildConfigure
Set environment variables (see .env.example for reference):
CLASH_CONTROLLER_URL=http://127.0.0.1:9097
CLASH_CONTROLLER_SECRET=your-secret-here
# Optional: Unix socket fallback (auto-detected from Verge if not set)
# CLASH_CONTROLLER_SOCKET=/tmp/verge/verge-mihomo.sockThe secret is in your Clash Verge Rev generated config (clash-verge.yaml), under the secret: key.
Never commit your secret to git. Configure it via MCP env in your agent config or system environment variables.
Run
# Start MCP server (stdio)
npm start
# Or run directly
node dist/index.jsGeneric MCP client configuration:
{
"mcpServers": {
"clash-control": {
"command": "node",
"args": ["/path/to/clash-control-mcp/dist/index.js"],
"env": {
"CLASH_CONTROLLER_URL": "http://127.0.0.1:9097",
"CLASH_CONTROLLER_SECRET": "your-secret"
}
}
}
}Smoke Test
npm run smoke-testValidates the safe read-only Mihomo endpoints and writes a local, gitignored
API-SMOKE-TEST.json. It may contain machine-specific runtime metadata and
must not be published. The reload endpoint remains unverified when no
side-effect-free probe is available.
Tools (66 tools)
v0.1 Read-Only Tools (15)
Tool | Description |
| Environment capabilities (must call first) |
| Comprehensive diagnostics |
| Verge detection: version, paths, compatibility |
| Read Verge network/runtime settings |
| Get config directories and paths |
| Get currently active profile |
| List Verge profiles (summarized and paginated) |
| Inspect a specific profile by UID |
| Mihomo runtime config (from API) |
| Generated Verge config summary with a safe section allowlist |
| Verge persistent config (from file) |
| Audit configuration for issues |
| Mihomo runtime status summary |
| List policy groups (summarized and paginated) |
| Get one policy group's safe, paginated candidate names and runtime health details |
v0.2-A Runtime Control Tools (2)
Tool | Description |
| Test proxy delay with multiple samples, returns median and jitter |
| Switch proxy in Selector group with verification and auto-rollback |
v0.2-B Runtime Discovery and Ops Tools (6)
Tool | Description |
| List safe proxy Provider names and summaries |
| List safe rule Provider names and summaries |
| List redacted connection summaries and IDs |
| Refresh a proxy provider (per-provider lock, confirmed, verified) |
| Refresh a rule provider (per-provider lock, confirmed, verified) |
| Close a specific connection by ID (close-all NOT supported) |
v0.3 Config and Recovery Tools (7)
Tool | Description |
| Create an isolated in-memory workspace |
| Preview a semantic, redacted diff |
| Fail-closed schema, fingerprint, and risk validation |
| Apply a validated low-risk workspace through the authenticated Adapter, then run file/runtime/network/GUI health checks with automatic rollback |
| Restore a persisted transaction snapshot |
| Verify a persisted PENDING_RESTART after Verge restart |
| Read durable transaction/recovery state without modifying manifests or snapshots |
v0.4 Verge Settings Tools (8, capability-gated)
Tool | Description |
| Set unified delay through the guarded settings transaction path |
| Set Mihomo log level |
| Set IPv6 state |
| Strategic-merge the DNS kernel block |
| Configure the mixed proxy port |
| Configure LAN access with strong confirmation |
| Strategic-merge the TUN kernel block with strong confirmation |
| Configure Verge connection cleanup through the native Adapter settings path |
Each setting remains independently capability-gated. On the tested Verge 2.5.1 QA Adapter build, the native settings path performs optimistic concurrency checks, updates Verge memory and persistence, applies Mihomo runtime state, queues GUI refresh, verifies desired/persisted/reported/GUI/ observed evidence, and compensates on failure. Official builds without the Adapter continue to fail closed.
v0.5-A/C Profile & Subscription Tools (6)
Tool | Description |
| Inspect a Verge profile's full chain: base profile, merge layer, override/script layer, rule layer; with per-layer fingerprint, parse status, and redacted subscription URL |
| Inspect a Merge profile's raw structure, fingerprint, and summary |
| Inspect an Override (Script) profile; Script files are fingerprinted by raw content ( |
| Inspect a profile's rule list with stable rule IDs, pagination (default 50, hard cap 200), and rule-level fingerprints |
| Refresh a remote subscription through the authenticated local Clash Verge Adapter. Local profiles return |
| Activate a Profile through Clash Verge itself. Strong two-step nonce confirmation, active-Profile drift detection, and post-operation verification are mandatory because network routing may change |
Security and capability notes:
All UID/path inputs are validated by
^[A-Za-z0-9_-]{1,120}$and resolved withrealpath+ parent-directory walk. Directory-traversal payloads (.., absolute paths,.,-) are rejected before any filesystem access.Inspect payloads are capped (
MAX_RULES_RETURNED = 200,DEFAULT_RULES_LIMIT = 50) and paginate viacursortokens; every layer returns a structuredparseStatus(ok/missing/parse_error/not_yaml) with aparseErrorobject — no silent failures.Subscription URLs are deeply redacted to
scheme://host/***(path and query stripped) before entering any return payload.clash.profiles.refreshdistinguishesrefreshKind: 'subscription'from Mihomo Proxy/Rule Provider refresh (clash.runtime.refresh_proxy_provider/clash.runtime.refresh_rule_provider). It never fakesREFRESHED— when the authenticated Adapter is unavailable it returnsBLOCKEDwith manual GUI steps and theprofileRefreshcapability staysfalse.
Clash Verge Adapter
Profile refresh, activation, persistent Profile writes, synchronized proxy
selection, and native Verge settings writes require the companion Adapter
build. The Adapter is opt-in, listens only on 127.0.0.1, and requires a
per-installation Bearer token. The installer stores that token only in a
private 0600 credentials file; clients receive
CLASH_VERGE_ADAPTER_TOKEN_FILE, not the token itself. Official Clash Verge
builds remain supported for read-only and Mihomo runtime tools; Adapter-owned
writes fail closed.
v0.5-B Profile Persistent Write Tools (5, capability-gated)
Tool | Description |
| Update non-sensitive profile metadata in |
| Update a Merge YAML file with a strategic merge patch. Owner resolved from the target Profile's |
| Update a YAML Override. JavaScript Script files ( |
| Add rules to a section ( |
| Remove rules by fingerprint from a section of the Rules owner file. Each fingerprint must uniquely match exactly one rule — ambiguous matches are rejected. Two-phase: preview → execute with nonce |
All five tools remain fail closed unless the authenticated Adapter reports the matching capability for the tested Verge version. The 2.5.1 RC QA build has passed controlled real update-and-restore samples for metadata, Merge YAML, YAML Override, and independent Rules; JavaScript mutation remains blocked.
Security model:
Owner resolution from
profiles.yamlrealfileandoptionreferences; no filename guessing.realpathboundary check prevents symlink traversal.Non-reusable nonce binds: target Profile UID, owner UID, owner path, owner fingerprint, chain fingerprint, normalized patch hash, section, ruleset fingerprint, and expiry (5-minute TTL).
Full transaction: preview → schema validation → optimistic owner fingerprint check → native Adapter write → persistence/runtime verification → commit or compensating restore.
Dual-layer lock (in-process mutex + cross-process file lock with PID liveness).
Rules use stable anchors (normalized content + adjacent fingerprints), not line numbers.
RULESET_CHANGED_DURING_TRANSACTIONaborts on concurrent modification.A write returns
COMMITTEDonly after the Adapter verifies the applicable persistence/runtime state and queues GUI refresh; unverified paths never claim success.
v1.0 Optimization Tools (12, read-only orchestration helpers)
Tool | Description |
| Collect a versioned network baseline and bounded real probes |
| Diagnose DNS structure, exposure, consistency, and reachability |
| Diagnose duplicate, shadowed, invalid, and owner-partitioned rules |
| Diagnose group membership, selections, liveness, and failover |
| Diagnose provider/group health-check intervals, targets, and cost |
| Layered OpenAI connectivity diagnosis without API keys or paid calls |
| Layered GitHub web/API/download diagnosis without repository writes |
| Layered YouTube network diagnosis without account or DRM access |
| Bounded streaming endpoint diagnosis without unlock claims |
| Reject execution when the original baseline has drifted |
| Classify comparable before/after probes as improved, unchanged, regressed, or inconclusive |
| Validate proposed actions against their individual lower-level capability gates |
Optimizers do not write configuration. They return facts, probes, findings, recommendations, and proposed calls to the existing guarded tools. The calling AI performs one confirmed action at a time, compares identical probes, and invokes the original rollback path immediately on regression.
These helpers are an evidence harness, not a replacement for agent reasoning.
They make common routing semantics explicit for less capable models: global and
direct modes cannot be mistaken for active rule routing, live connection chains
and the current GLOBAL selection are reported separately from static rules,
single-candidate groups are identified as lacking group-level failover, and a
health-check report distinguishes an unreadable configuration from a verified
topology where health checks are not applicable. An agent may still inspect the
lower-level MCP facts and form a different recommendation, but every write stays
behind the same confirmation, capability, verification, and rollback gates.
v1.1 Verge Preferences Tools (5, capability-gated, fail-closed)
Tool | Description |
| Read-only inspect of Clash Verge Preferences (Basic/Theme/Layout/Hotkeys) from verge.yaml plus Adapter memory state; sensitive fields (css_injection, WebDAV credentials, system proxy, TUN, DNS, ports) are listed by name only and redacted |
| Write Basic Preferences (language, theme_mode, tray_event, env_type, start_page) with light confirmation. Two-phase preview→confirm; |
| Write Theme Preferences (primary/secondary/text/info/error/warning/success_color, font_family) with light confirmation and ownerFingerprint |
| Write Layout Preferences (traffic_graph, enable_memory_usage, enable_group_icon, pause_render_traffic_stats_on_blur, collapse_navbar, menu_icon, notice_position, enable_hover_jump_navigator, menu_order) with light confirmation and ownerFingerprint |
| Write Hotkeys (enable_global_hotkey + 8 function→accelerator mappings) with strong nonce-bound confirmation. Nonce binds mapping digest + ownerFingerprint + enable state + 60s expiry; one-time use; no replay |
Schema is keyed to real Clash Verge Rev 2.5.1 source (i18n.ts, setting-verge-basic.tsx, pages/_routers.tsx, layout-viewer.tsx, hotkey-viewer.tsx, core/hotkey.rs, config/verge.rs):
13 real languages, 5 tray events (Linux unsupported), 5 env types (IMMEDIATE), 8 start pages (with leading
/), 3 menu icons, 4 notice positions8 public hotkey functions (
open_or_close_dashboard,clash_mode_rule,clash_mode_global,clash_mode_direct,toggle_system_proxy,toggle_tun_mode,entry_lightweight_mode,reactivate_profiles);quit/hideare native internal shortcuts and are NOT in the allowlistAccelerator aliases are canonicalized before duplicate/reserved checks; macOS input/window combinations observed in the real desktop environment (
Command+Space,Control+Space, and their protected variants) are rejected by both MCP and Adaptercommon_tray_iconremoved from the write allowlist (no safe icon asset and verifiable side effect)
Security model (per Codex v1.1 review P0/P1 rectification):
No fake COMMITTED — Basic/Theme/Layout remain
UNVERIFIEDuntil GUI-visible effects are acknowledged;start_pageisPENDING_RESTARTuntil the next Clash Verge launch because closing the dashboard only hides and reuses the current WebView. Hotkeys becomeCOMMITTEDonly when memory,verge.yaml, and the native Tauri registration set all match; incompleteok=truebodies remainUNVERIFIED.Structured 409/429 — 409 +
errorCode: "CHANGED"→PREFERENCES_CHANGED(state drift, caller must re-preview, returns REJECTED); 409 without errorCode →TRANSACTION_BUSY(mutation busy, returns BLOCKED); 429 +retryAfterMs→ADAPTER_RATE_LIMITED(returns BLOCKED with retryAfterMs).Light confirmation fingerprint —
confirm=truefor Basic/Theme/Layout must carry theownerFingerprintreturned by a matching, unexpired preview for the identical values. MCP re-reads the strict Adapter snapshot and rejects missing, drifted, changed, or direct-confirm attempts.Real ownerFingerprint — Adapter and read-only inspect both use SHA-256 over the exact
verge.yamlbytes (first 16 bytes / 32 lowercase hex); the legacy fixed"adapter"placeholder and JSON-object fingerprint are not used for writes.Adapter-side deny_unknown_fields DTO —
VergePreferencesBody/HotkeysBodyreject unknown fields; Adapter independently validates types/enums/lengths/colors/fonts/menu_order/platform/prototype pollution and returns 400 REJECTED before any memory/file/OS modification.Compensating rollback re-verification — On failure, the Adapter re-reads memory and persisted state; Hotkeys also re-check the native registration set. A Preferences rollback is
ROLLED_BACKonly when memory, persisted bytes, native side-effect replay, and GUI-refresh scheduling all succeed; missing evidence remainsRECOVERY_REQUIRED.rollbackVerifiednever relies only onpatch_verge(...).is_ok().Hotkeys transactional — Adapter saves original mapping/enable/verifiable OS registration set before writing; on partial registration failure it explicitly unregisters the new keys and restores the old set, then re-verifies. If the Tauri global-shortcut API cannot reliably enumerate or verify OS registration, the result is fail-closed
UNVERIFIED/ROLLED_BACK/RECOVERY_REQUIRED, neverCOMMITTED.
The four write tools require authenticated Adapter capability settings.verge-preferences plus the matching fine-grained write capability. Read-only inspect may fall back to local verge.yaml, but never invents confirmation evidence when the real owner bytes are unavailable. macOS/Clash Verge 2.5.1 real-desktop acceptance covered visible Basic/Theme/Layout changes, NEXT_LAUNCH start-page behavior, native hotkey registration, 409/429/BUSY faults, same-call rollback, byte-exact restoration, and unchanged Profile/network state. Synthetic accessibility key events are not treated as proof of a physical global-hotkey callback.
Supported Versions
Component | Verge Rev Version | Status |
Core MCP controller/read/runtime tools | 2.5.1 | tested |
Core MCP controller/read/runtime tools | 2.0.0+ | compatible (not fully tested) |
Companion Adapter App | 2.5.1 | only currently accepted upstream version |
Any component | < 2.0.0 | unsupported |
Security
Controller credentials are read from the selected client's private managed config or process environment; Adapter tokens are read from the private credentials file referenced by
CLASH_VERGE_ADAPTER_TOKEN_FILEAll outputs are redacted (tokens, passwords, subscription URLs)
No arbitrary shell, file, HTTP, or API access
See SECURITY.md for details
Roadmap
See ROADMAP.md.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/huaqing0/clash-control-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server