Interactive Mcp

Vibe coding should have human in the loop! interactive-mcp: Local, cross-platform MCP server for interact with your AI Agent

StaleNot tested

Data AI / ML

★ 340npm GitHub

51No CVEsstaleMIT

Quick Install

{
  "mcpServers": {
    "interactive": {
      "args": [
        "-y",
        "interactive-mcp"
      ],
      "command": "npx"
    }
  }
}

Setup guide

Should you use this server?

Vibe coding should have human in the loop! interactive-mcp: Local, cross-platform MCP server for interact with your AI Agent

✓

Is it safe?

No known CVEs for pnpm. 12 previously resolved.

No authentication — any process on your machine can connect.

MIT. View license →

Is it maintained?

Last commit 137 days ago. 340 stars.

Will it work with my client?

Transport: stdio, sse, http. Works with Claude Desktop, Cursor, Claude Code, and most MCP clients.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Help improve this page

This server is missing a description. Tools and install config are also missing.If you've used it, help the community.

Add information

Score Breakdown

MCPpedia Score

Click each category to see evidence

51C

Last scored 12h ago

How we score →

Security

22/30

No open vulnerabilities. 12 fixed CVEs.

✓

Known CVEs — No known CVEs for pnpmcheck OSV.dev

○

Tool safety — No tools to analyze

○

Tool poisoning — No tools to analyze

○

Injection vectors — No tools to analyze

✓

Tool stability — Tool definitions stable

○

Dependency health — found on deps.dev

✓

License — License: MIT

○

Authentication — No authentication required

○

Repository — active repo

Advisories (0 open, 12 fixed)

mediumCVSS 4CVE-2026-24131Fixed

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2Published Jan 26, 2026source \u2192

lowCVSS 3.1CVE-2026-23888Fixed

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1Published Jan 26, 2026source \u2192

CVEs checked daily via OSV.dev. Score algorithm is open source.

lowCVSS 3.1CVE-2026-23889Fixed

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1Published Jan 26, 2026source \u2192

lowCVSS 3.1CVE-2026-23890Fixed

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1Published Jan 26, 2026source \u2192

lowCVSS 3.1CVE-2026-24056Fixed

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2Published Jan 26, 2026source \u2192

lowCVSS 3.1CVE-2025-69264Fixed

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

# pnpm v10+ Git Dependency Script Execution Bypass ### Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during `pnpm install`, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks `postinstall` scripts via the `onlyBuiltDependencies` mechanism, git dependencies can still execute `prepare`, `prepublish`, and `prepack` scripts during the fetch phase, enabling remote

Affected: >= 10.0.0Fixed in 10.26.0Published Jan 7, 2026source \u2192

lowCVSS 3.1CVE-2025-69263Fixed

pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies

### Summary HTTP tarball dependencies (and git-hosted tarballs) are stored in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. ### Details When a package depends on an HTTP tarball URL, pnpm's tarball resolver returns only the URL without computing an integrity hash: `resolving/tarball-resolver/src/index.ts`: ```javascript return { resolution: { tarball: resolvedUrl, // No integrity f

Affected: >= 0Fixed in 10.26.0Published Jan 7, 2026source \u2192

lowCVSS 3.1CVE-2025-69262Fixed

pnpm vulnerable to Command Injection via environment variable substitution

## Summary A command injection vulnerability exists in pnpm when using environment variable substitution in `.npmrc` configuration files with `tokenHelper` settings. An attacker who can control environment variables during pnpm operations could achieve remote code execution (RCE) in build environments. ## Affected Components - **Package**: pnpm - **Versions**: All versions using `@pnpm/config.env-replace` and `loadToken` functionality - **File**: `pnpm/network/auth-header/src/getAuthHeadersFr

Affected: >= 6.25.0Fixed in 10.27.0Published Jan 7, 2026source \u2192

lowCVSS 3.1CVE-2024-47829Fixed

pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting

The path shortening function is used in pnpm： ``` export function depPathToFilename (depPath: string, maxLengthWithoutHash: number): string { let filename = depPathToFilenameUnescaped(depPath).replace(/[\\/:*?"<>|]/g, '+') if (filename.includes('(')) { filename = filename .replace(/\)$/, '') .replace(/(\)$)|\(|$/g, '_') } if (filename.length > maxLengthWithoutHash || filename !== filename.toLowerCase() && !filename.startsWith('file+')) { return `${filename.substring

Affected: >= 0Fixed in 10.0.0Published Apr 23, 2025source \u2192

mediumCVSS 4CVE-2024-53866Fixed

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

### Summary pnpm seems to mishandle overrides and global cache: 1. Overrides from one workspace leak into npm metadata saved in global cache 2. npm metadata from global cache affects other workspaces 3. installs by default don't revalidate the data (including on first lockfile generation) This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B Users generally expect `ignore-scripts` to be sufficient to prevent immediate code e

Affected: >= 0Fixed in 9.15.0Published Dec 10, 2024source \u2192

lowCVSS 3.1CVE-2023-37478Fixed

pnpm incorrectly parses tar archives relative to specification

### Summary It is possible to construct a tarball that, when installed via npm or parsed by the registry is safe, but when installed via pnpm is malicious, due to how pnpm parses tar archives. ### Details The TAR format is an append-only archive format, and as such, the specification for how to update a file is to add a new record to the end with the updated version of the file. This means that it is completely valid for an archive to contain multiple copies of, say, `package.json`, and the exp

Affected: >= 0Fixed in 7.33.4Published Aug 1, 2023source \u2192

lowCVSS 3.1CVE-2022-26183Fixed

Untrusted Search Path in PNPM

PNPM prior to v6.15.1 was discovered to contain an untrusted search path which causes the application to behave in unexpected ways when users execute PNPM commands in a directory containing malicious content. This vulnerability occurs when the application is ran on Windows OS.

Affected: >= 0Fixed in 6.15.1Published Mar 23, 2022source \u2192

Interactive Mcp

Quick Install

Should you use this server?

Test This Server

Help improve this page

Score Breakdown

MCPpedia Score

Security

Advisories (0 open, 12 fixed)

Reviews

Discussion