Observe and operate Hatchet workflows from an AI agent — runs, logs, trigger, cancel, replay.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"hatchet": {
"env": {
"HATCHET_CLIENT_TOKEN": "<your-hatchet-api-token>"
},
"args": [
"-y",
"hatchet-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
An MCP server that lets AI agents observe and operate Hatchet workflows — status, runs, logs, workers, and metrics, plus trigger / cancel / replay.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: Hoisted install imports lockfile alias outside node_modules
## Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted `node_modules` directory. Traversal aliases could escape that directory, while reserved aliases such as `.bin` or `.pnpm` could overwrite pnpm-owned layout. This patch validates package-name semantics and path containment before graph insertion or filesystem work. ## Security boundary - The
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
## Summary The staged-tarball filename traversal reported as GHSA-v23m-ccfg-pq9h / CAND-PNPM-038 is fixed on `main` by [pnpm/pnpm#12303](https://github.com/pnpm/pnpm/pull/12303), merged as `65443f4bdf1f0db9c8c7dc58fee25252607e9234`. Before the fix, `pnpm stage download` derived a local filename from registry-controlled package name and version fields. A crafted manifest could escape the selected download directory and overwrite another reachable file. The merged fix validates both fields, deri
pnpm: Reserved bin name deletes PNPM_HOME during global remove
<details> <summary>Maintainer Action Plan</summary> ## Maintainer Action Plan This report is ready to review with the shared patch branch. Start with the PR and the expected fixed behavior, then use the detailed exploit narrative below only if you want to replay the original path. - Advisory: `CAND-PNPM-085` / `GHSA-4gxm-v5v7-fqc4` - Advisory URL: https://github.com/pnpm/pnpm/security/advisories/GHSA-4gxm-v5v7-fqc4 - Shared patch PR: https://github.com/pnpm/pnpm-ghsa-j2hc-m6cf-6jm8/pull/1 - S
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml
Dynamic problem-solving through sequential thought chains
Workspace template + MCP server for Claude Code, Codex CLI, Cursor & Windsurf. Multi-agent knowledge engine (ag-refresh / ag-ask) that turns any codebase into a queryable AI assistant.
Persistent memory using a knowledge graph
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
MCP Security Weekly
Get CVE alerts and security updates for io.github.ElliotPadfield/hatchet-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
An MCP server that lets AI agents observe and operate Hatchet workflows — status, runs, logs, workers, and metrics, plus trigger / cancel / replay.
Why: Hatchet has a great API but no MCP. This wraps it so agents (Claude Code / Desktop, etc.) can see and act on workflow state.
Add this to your Claude Code / Claude Desktop MCP config:
{
"mcpServers": {
"hatchet": {
"command": "npx",
"args": ["-y", "hatchet-mcp"],
"env": { "HATCHET_CLIENT_TOKEN": "<your-hatchet-api-token>" }
}
}
}
Get the token from the Hatchet dashboard → API tokens. The token is a JWT that encodes the server URL and tenant, so it's the only required setting.
| Variable | Required | Description |
|---|---|---|
HATCHET_CLIENT_TOKEN | Yes | Hatchet API token (JWT). Encodes the server URL + tenant, so it's normally all you need. |
HATCHET_API_BASE | No | Override the API base URL. Self-hosters can point this at any Hatchet instance. |
HATCHET_TENANT_ID | No | Override the tenant id decoded from the token. |
Self-hosting? Set HATCHET_API_BASE to your own Hatchet instance and it works anywhere.
| Tool | Description |
|---|---|
whoami | Show the resolved Hatchet tenant + server URL and confirm the token works. |
list_workflows | List workflow definitions for the tenant. |
list_runs | List workflow runs (with an optional lookback window and filters). |
get_run | Get the full detail of one workflow run — status, tasks, errors. |
get_run_logs | Get log lines for a task by its external id. |
list_workers | List workers and their status. |
get_queue_metrics | Get task/queue metrics for the tenant (queue health). |
| Tool | Description |
|---|---|
trigger_workflow | Trigger a new workflow run by name with a JSON input payload. |
cancel_runs | Cancel one or more runs/tasks by external id. |
replay_runs | Replay/retry one or more runs/tasks by external id. |
The read tools (whoami, list_workflows, list_runs, get_run, get_run_logs, list_workers, get_queue_metrics) are non-destructive.
trigger_workflow, cancel_runs, and replay_runs mutate live state — their descriptions are prefixed MUTATES LIVE STATE so agents and users know they affect real runs.
The token grants full tenant access — treat it as a secret. Never commit it to source control.
pnpm install
pnpm test # vitest
pnpm build # tsup -> dist/index.js
TypeScript / ESM, tested with vitest.
v0.1.0 — all tools verified against Hatchet Cloud; works with self-hosted instances via HATCHET_API_BASE. trigger_workflow uses the stable /workflow-runs/trigger endpoint.