CLI MCP Server for Claude

Safety notes

CLI MCP Server executes local commands, so allowed commands can read, write, delete, transform, upload, or run code depending on what is whitelisted.
Never set ALLOWED_COMMANDS=all, ALLOWED_FLAGS=all, or ALLOW_SHELL_OPERATORS=true unless the environment is disposable and strongly sandboxed.
Keep ALLOWED_DIR narrow; do not point it at a home directory, repository root with secrets, cloud credential directory, SSH directory, or production data.
The reviewed implementation blocks shell operators by default and enforces timeouts, but those controls do not replace OS permissions, backups, or process isolation.
Ask the show_security_rules tool to confirm the effective policy before allowing run_command.

Privacy notes

Command output, file names, file contents, directory listings, environment-derived paths, error messages, and working-directory names can be sent to the MCP client and model.
Whitelisted commands such as cat, grep, env, git, curl, package managers, or language runtimes can expose secrets or transmit data if enabled.
Logs and transcripts can retain command output and local project context, so do not run against directories containing credentials, customer data, private keys, or unpublished source unless approved.

Prerequisites

Python 3.10 or newer and uvx, uv, pipx, or another supported Python runner.
A dedicated ALLOWED_DIR that contains only files Claude is approved to inspect or modify.
A minimal command allowlist and flag allowlist for the intended workflow.
External sandboxing, containerization, or a low-privilege OS user when running anything beyond read-only commands.

Schema details

Install type: cli
Troubleshooting: No

Source repository stats

Scope: Source repo

Collection metadata

Estimated setup: 10 minutes
Difficulty: advanced

Tool listing metadata

Website: https://github.com/MladenSU/cli-mcp-server

Full copyable content

{
  "mcpServers": {
    "cli-mcp-server": {
      "command": "uvx",
      "args": ["cli-mcp-server"],
      "env": {
        "ALLOWED_DIR": "<approved-working-directory>",
        "ALLOWED_COMMANDS": "ls,cat,pwd",
        "ALLOWED_FLAGS": "-l,-a,--help",
        "ALLOW_SHELL_OPERATORS": "false"
      }
    }
  }
}

About this resource

Content

CLI MCP Server is a Python stdio MCP server for controlled command-line execution. It exposes a run_command tool for executing validated commands inside an allowed directory and a show_security_rules tool for inspecting the active working directory, command allowlist, flag allowlist, maximum command length, timeout, and shell-operator behavior.

The server is designed to provide limited CLI access to an AI assistant while enforcing command whitelists, flag whitelists, path normalization, allowed directory checks, command-length limits, execution timeouts, and default blocking for shell operators such as pipes, redirects, semicolons, and boolean operators.

Source Review

These sources were reviewed on 2026-06-06. Prefer the live repository, README, PyPI metadata, package metadata, package entrypoint, server implementation, registry metadata, and license file for current install commands, environment variables, tool behavior, security controls, and licensing.

Features

Python package cli-mcp-server with a cli-mcp-server console command.
Stdio MCP server exposing run_command and show_security_rules.
Required ALLOWED_DIR base directory for command execution.
ALLOWED_COMMANDS and ALLOWED_FLAGS allowlists, with explicit all modes.
Shell operator blocking by default, with opt-in ALLOW_SHELL_OPERATORS.
Command length and timeout controls.
Path normalization and allowed-directory validation for path-like arguments.
MIT license.

Installation

Run the package with uvx:

uvx cli-mcp-server

Configure a narrow command policy:

{
  "mcpServers": {
    "cli-mcp-server": {
      "command": "uvx",
      "args": ["cli-mcp-server"],
      "env": {
        "ALLOWED_DIR": "<approved-working-directory>",
        "ALLOWED_COMMANDS": "ls,cat,pwd",
        "ALLOWED_FLAGS": "-l,-a,--help",
        "MAX_COMMAND_LENGTH": "1024",
        "COMMAND_TIMEOUT": "30",
        "ALLOW_SHELL_OPERATORS": "false"
      }
    }
  }
}

After restart, call show_security_rules before running commands so the active policy is visible in the conversation.

Use Cases

Let Claude list and inspect files in a disposable working directory.
Give an assistant narrow read-only access to generated logs or reports.
Run tightly scoped diagnostic commands during a guided support session.
Expose only safe project scripts or read commands inside a sandboxed folder.
Confirm command policy and allowed flags before a human approves execution.

Safety and Privacy

CLI MCP Server should be treated as local code execution. Its controls are useful guardrails, but the actual risk depends on the commands, flags, directory, OS permissions, and sandbox around the MCP process. Start with read-only commands, keep shell operators disabled, and do not use all-mode allowlists on a machine or directory that contains valuable data.

Use a disposable folder, temporary checkout, container, VM, or low-privilege user for anything that can modify files or run scripts. Avoid allowing package managers, interpreters, network clients, credential tools, destructive commands, or broad filesystem commands unless the environment is intentionally isolated.

Command output can contain secrets, source code, customer data, local paths, or environment details. Do not run this server against credential directories, private keys, cloud config folders, production data, or unpublished source unless that exposure has been approved.

Duplicate Check

Existing content includes product-specific CLI servers such as Microsoft 365 CLI MCP, but no MladenSU/cli-mcp-server, secure CLI execution MCP, or generic allowlisted command execution MCP entry was found in content/mcp, content/agents, content/guides, or content/skills. This entry is scoped to the Python cli-mcp-server package and does not duplicate product-specific CLI or infrastructure MCP entries.