Public Portfolio MCP
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Public Portfolio MCPsearch your portfolio for projects about security"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Public Portfolio MCP
A small, production-minded read-only JSON-RPC service for exposing a deliberately bounded engineering portfolio to recruiters and external agents.
The interesting part is not the profile data. It is the boundary: callers can invoke three purpose-built tools, but they cannot choose a database table, filesystem path, URL, command, or private application module.
What this demonstrates
Strict TypeScript and zero production dependencies
MCP-style
initialize,tools/list, andtools/callover JSON-RPC 2.0Fixed read-only tool allowlist with exact argument keys
Payload limits, rate limiting, CORS allowlisting, and security headers
Bounded public text and prompt-injection-shaped input rejection
Stable errors without stack traces or request payload logging
Tests, Docker, GitHub Actions, architecture notes, ADR, and threat model
Related MCP server: MCP Server with External Tools
Architecture
Untrusted client
|
v
HTTP safeguards
|
v
JSON-RPC method allowlist
|
v
Strict tool arguments
|
v
Immutable public recordsSee architecture, threat model, and ADR 0001.
Run locally
cp .env.example .env
npm ci
npm test
npm run devHealth check:
curl http://localhost:3000/healthList tools:
curl http://localhost:3000/mcp \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'Search projects:
curl http://localhost:3000/mcp \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"search_projects","arguments":{"query":"security","limit":3}}}'Security decisions
The server does not expose a generic query tool. Search runs in memory over known public fields. Tool schemas reject additional properties, and the server does not include a database or outbound HTTP adapter.
Pattern rejection is defense in depth. The main control is the absence of dangerous capabilities.
Trade-offs
The in-memory rate limiter is appropriate for this standalone example, not for a multi-instance global quota. A production deployment should use an external atomic store and trust forwarded client identity only from a controlled edge proxy.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Ovidio-Git/public-portfolio-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server