mcp-shell
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-shelllist files in the current directory"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mcp-shell
A native Model Context Protocol server that
exposes a single execute_command tool over the Streamable HTTP transport.
The command runs directly in a subprocess of this server — there is no separate
gateway process and no stdio child.
⚠️ Security first
execute_command is remote command execution by design. This server ships
locked down by default with three independent app-layer controls, which are
meant to sit on top of (not replace) OS- and network-level hardening — defense
in depth:
Layer 1 — Bearer token (required).
Set
MCP_SHELL_TOKEN. The server refuses to start without it.Every HTTP request must send
Authorization: Bearer <token>; anything else gets 401, checked before any MCP session handling.
Layer 2 — Default-deny command allowlist.
MCP_SHELL_ALLOWED_COMMANDSis empty by default, which means zero commands run out of the box.A command executes only if its program (the first token, matched by name or basename) is explicitly allowlisted.
Commands containing shell control characters (
;,&,|,`,$,(),<>, …) are rejected, so an allowlisted program can't be used to chain into a non-allowlisted one.
Layer 3 — Origin validation (DNS-rebinding protection).
Per the MCP specification, the
Originheader is validated on every request. A request carrying a disallowedOrigingets 403, checked before authentication.Accepted origins default to loopback (
localhost/127.0.0.1/[::1]); override withMCP_SHELL_ALLOWED_ORIGINS(comma-separated).Requests with no
Originheader (non-browser clients — the normal case for this server) pass through; the opaqueOrigin: nullis rejected.
The executed command's environment is also scrubbed of this server's own
secret and control variables (MCP_SHELL_TOKEN, the allowlist, PORT, HOST,
…), so an allowlisted command such as env can't read the bearer token. PATH,
HOME, and unrelated variables pass through unchanged.
Operational hardening (your responsibility, and just as important).
Run the server as a dedicated least-privileged user, never root.
Keep the default bind of
127.0.0.1and put access control in front of it (an authenticated reverse proxy / tunnel). Do not expose it on a public interface.Treat the token as a secret; rotate it; scope the allowlist as narrowly as the use case allows.
Related MCP server: MCP Shell Server
The tool
Tool | Arguments | Returns |
|
|
|
Output is capped at 100 KB per stream (truncated with a marker); a command that
exceeds its timeout is killed with a [PROCESS KILLED] note.
Quickstart
npm install
# Token is mandatory; allowlist is default-deny — enable only what you need.
MCP_SHELL_TOKEN="$(openssl rand -hex 32)" \
MCP_SHELL_ALLOWED_COMMANDS="echo,ls,git" \
npm startWithout a token the server exits immediately:
npm start
# [mcp-shell] FATAL: MCP_SHELL_TOKEN is not set. Refusing to start ...Unauthenticated requests are refused:
curl -s -o /dev/null -w '%{http_code}\n' -X POST localhost:3000/mcp \
-H 'Content-Type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'
# 401MCP clients must send the bearer token on every request. Clients that support the Streamable HTTP transport with custom headers connect with something like (exact key names vary by client):
{
"mcpServers": {
"shell": {
"type": "streamable-http",
"url": "http://127.0.0.1:3000/mcp",
"headers": { "Authorization": "Bearer <MCP_SHELL_TOKEN>" }
}
}
}Configuration (environment)
Variable | Default | Purpose |
| — (required) | Bearer token; server refuses to start if unset. |
| empty (deny all) | Comma-separated allowlisted program names. |
| loopback | Comma-separated allowed |
|
| Port to listen on. |
|
| Bind address. Keep it loopback unless something else gates access. |
|
| MCP Streamable HTTP mount path. |
| derived | Prefix for |
|
| Shell used to run commands. |
Endpoints
POST/GET/DELETE ${MCP_ENDPOINT}— MCP Streamable HTTP transport (per-session).GET ${ROUTE_PREFIX}/healthz— liveness.GET ${ROUTE_PREFIX}/ready— readiness: spawns a throwaway shell and confirms a trivial command round-trips.
All endpoints require the bearer token, and a request with a disallowed Origin
is refused with 403 before auth (CORS preflight OPTIONS excepted).
Testing
npm test # node --testUnit tests cover the helpers, the default-deny allowlist (including the
shell-metacharacter bypass guard), Origin validation, and child-environment
scrubbing. Integration tests boot the real server and, over the MCP Streamable
HTTP client, prove: an allowlisted command runs, a non-allowlisted command is
rejected without executing, a request with no / invalid token gets 401, and
a request with a disallowed Origin gets 403.
License
Apache-2.0
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/imajeure/mcp-shell'
If you have feedback or need assistance with the MCP directory API, please join our Discord server