Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"stata-mcp": {
"args": [
"stata-mcp"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Let LLM help you achieve your regression analysis with Stata ✨ Evolve from reg monkey to causal thinker 🐒 -> 🧐
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'stata-mcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
MCP-for-Stata: Command injection via log_file_name parameter in Stata command wrapper
### Summary The `log_file_name` parameter in the `stata_do` API and CLI is directly interpolated into a Stata command string without sanitization. The security guard (`GuardValidator`) only scans the do-file content but does not validate this parameter. An attacker can inject arbitrary Stata commands (including `shell`, `python`, `erase`, etc.) by crafting a malicious `log_file_name` containing quotes, newlines, or Stata command separators. ### Details In `src/stata_mcp/stata/stata_do/do.py`,
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution
A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in data / analytics
Zero-dependency, token-efficient database MCP server for Postgres, MySQL, SQL Server, MariaDB, SQLite.
⚡ A Simple / Speedy / Secure Link Shortener with Analytics, 100% run on Cloudflare.
Manage Supabase projects — databases, auth, storage, and edge functions
🔥 Official Firecrawl MCP Server - Adds powerful web scraping and search to Cursor, Claude and any other LLM clients.
MCP Security Weekly
Get CVE alerts and security updates for Stata MCP Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Enable Claude Code, Codex, OpenClaw, and other AI agents to safely invoke Stata on your local device for data analysis.
Stata is a registered trademark of StataCorp LLC. This project is an independent community-developed tool and is not affiliated with, endorsed by, or sponsored by StataCorp LLC.
stata-mcp tool), see OpenClaw guideFinding our newest research? View latest research reports.
MCP or AI about Stata
- A session based MCP server for Stata, mcp-stata
- IDEs (VScode or Cursor) integrated stata-mcp for VSCode. Confused them? 💡 Comparison
Datasets and Information
- STOP Dataset: StataMCP-Team Opendata Project 📊, we have open-sourced a comprehensive dataset collection for social science research, aiming to enable the future of AI-driven and data-powered research paradigms.
The AGPL 3.0 License is a type of open-source license. It does not affect your daily use, and allows you to use, modify, and distribute this software free of charge, provided that you comply with its terms, such as retaining the original copyright notices.
Notes: While we strive to make open source accessible to everyone, we regret that we can no longer maintain the Apache-2.0 License. Due to individuals directly copying this project and claiming to be its maintainers, we have decided to change the license to AGPL-3.0 to prevent misuse of the project in ways that go against our original vision.
Notes: 尽管我们希望尽可能让所有人都能从开源中获益,但我们很遗憾地宣布无法继续保持 Apache-2.0 License。由于有人直接抄袭本项目并标榜其为项目维护者,我们不得不将 License 更改为 AGPL-3.0,以防止有人滥用本项目进行违背项目初心的事情。
Reason following:
Background: @jackdark425's repository directly copied this project and claimed to be the sole maintainer. We welcome open source collaboration based on f