execute_command
Execute Unix/macOS terminal commands through a secure MCP server with controlled access and permission management.
Instructions
Execute a Unix/macOS terminal command.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| command | Yes | The command to execute | |
| session_id | No | Optional session ID for permission management |
Implementation Reference
- src/server.js:347-417 (handler)Core handler implementation for executing commands.
async _executeCommand(command, { commandType = null, sessionId = null } = {}) { const lists = this.config.getEffectiveCommandLists(); const allowSeparators = this.config.get('security', 'allow_command_separators', true); const validation = validateCommand( command, lists.read, lists.write, lists.system, lists.blocked, lists.dangerous_patterns, allowSeparators, ); if (!validation.is_valid) return { success: false, output: '', error: validation.error }; if (commandType && validation.command_type !== commandType) { return { success: false, output: '', error: `Command type mismatch. Expected ${commandType}, got ${validation.command_type}` }; } const actualType = validation.command_type; // Directory check const dirCheck = this._checkDirectoryAccess(command, sessionId); if (!dirCheck.allowed) return dirCheck.response; // Permission check for write/system if (actualType !== 'read' && this.config.get('security', 'allow_user_confirmation', true)) { const requireSessionId = this.config.get('security', 'require_session_id', false); if (sessionId && requireSessionId) { const hasApproval = this.sessionManager.hasCommandApproval(sessionId, command) || this.sessionManager.hasCommandTypeApproval(sessionId, actualType); if (!hasApproval) { return { success: false, output: '', error: `Command '${command}' requires approval. Use approve_command_type tool with session_id '${sessionId}'.`, requires_approval: true, command_type: actualType, session_id: sessionId, }; } } // no session or session validation disabled — auto-approve } // Execute the command try { logger.info(`Executing command: ${command}`); const maxOutputSize = this.config.get('output', 'max_size', 100 * 1024); const { stdout, stderr, code } = await new Promise((resolve) => { const child = exec(command, { shell: '/bin/sh' }, (err, stdout, stderr) => { resolve({ stdout: stdout || '', stderr: stderr || '', code: err ? (err.exitCode ?? 1) : 0 }); }); }); let output = stdout; if (output.length > maxOutputSize) { output = output.slice(0, maxOutputSize) + '\n... [output truncated due to size]'; } return { success: code === 0, output, error: stderr, exit_code: code, command_type: actualType, }; } catch (e) { logger.error(`Error executing command: ${e.message}`); return { success: false, output: '', error: e.message }; } } - src/server.js:71-84 (registration)Registration of the execute_command tool in the MCP server.
this.server.tool( 'execute_command', 'Execute a Unix/macOS terminal command.', { command: z.string().describe('The command to execute'), session_id: z.string().optional().describe('Optional session ID for permission management'), }, async ({ command, session_id }) => { const requireSessionId = this.config.get('security', 'require_session_id', false); const sid = (!session_id || !requireSessionId) ? this.claudeDesktopSessionId : session_id; const result = await this._executeCommand(command, { sessionId: sid }); return { content: [{ type: 'text', text: JSON.stringify(result) }] }; }, );