Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"talos": {
"args": [
"-y",
"talos-mcp"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
An MCP server that exposes Talos Linux cluster management to AI agents (Claude Code, OpenAI Codex, and any MCP-compatible client). Instead of pasting talosctl output into chat, the agent calls structured tools that return machine-readable JSON directly from the Talos gRPC API — zero token cost for intermediate output.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'talos-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked talos-mcp against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in devops
MCP server for using the GitLab API
A Unified MCP Server Management App (MCP Manager).
MCP server for Komodo - manage Docker containers, servers, stacks, and deployments via AI
MCP-NixOS - Model Context Protocol Server for NixOS resources
MCP Security Weekly
Get CVE alerts and security updates for io.github.Nosmoht/talos-mcp-server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
An MCP server that exposes Talos Linux cluster management to AI agents (Claude Code, OpenAI Codex, and any MCP-compatible client). Instead of pasting talosctl output into chat, the agent calls structured tools that return machine-readable JSON directly from the Talos gRPC API — zero token cost for intermediate output.
Connects to your cluster via the native Talos gRPC API using the same mTLS credentials as talosctl (~/.talos/config).
Via npm (no Go required, Linux/macOS, amd64/arm64):
npx talos-mcp
Via npm (global install) for persistent invocation from $PATH:
npm install -g talos-mcp
Installs the binary as <npm-prefix>/bin/talos-mcp. Verify with:
which talos-mcp # path
talos-mcp --version # version + commit hash
npm list -g talos-mcp # npm's view of the installed version
Upgrade to the latest published release:
npm install -g talos-mcp@latest
New releases appear on npmjs.com within minutes of every feat: / fix: / perf: (or breaking) merge to main — see CONTRIBUTING.md § Post-merge release pipeline for the mechanism.
Download binary (Linux/macOS, amd64/arm64):
Download the latest release from GitHub Releases, extract, and place the binary in your $PATH.
Build from source (requires Go 1.21+):
git clone https://github.com/Nosmoht/talos-mcp-server
cd talos-mcp
go build -o talos-mcp ./cmd/talos-mcp
Reads ~/.talos/config by default (the same file talosctl uses). Override via environment variables:
| Variable | Default | Description |
|---|---|---|
TALOSCONFIG | ~/.talos/config | Path to talosconfig file |
TALOS_CONTEXT | active context | Context name to use |
TALOS_ENDPOINTS | from config | Comma-separated endpoint overrides |
TALOS_MCP_READ_ONLY | false | Set to true to disable all mutating tools at startup |
TALOS_MCP_HTTP_ADDR | (unset) | If set (e.g. :8080), serve Streamable HTTP instead of stdio |
TALOS_MCP_AUTH_TOKEN | (unset) | Required bearer token when HTTP mode is active |
TALOS_MCP_ALLOWED_NODES | (unset) | Comma-separated IPs, hostnames, and CIDR ranges permitted as tool targets. Unset allows all. |
TALOS_MCP_ALLOWED_PATHS | (all) | Comma-separated path prefixes allowed for talos_read_file and talos_list_files (e.g. /etc,/proc). Defense-in-depth only — checks run on the MCP server host and do not resolve symlinks on the remote Talos node, so a symlink under an allowed prefix that points elsewhere is not detected. |
TALOS_MCP_SKIP_VERSION_CHECK | false | Set to true to bypass upgrade path validation (e.g. for factory images or custom tags) |
TALOS_MCP_ENABLE_INSECURE | false | Unlock insecure=true on talos_apply_config / talos_get / talos_version / talos_meta. Bypasses mTLS — REQUIRES `TALOS_MCP_INSECURE_AL |