Is io.github.storybookjs/addon-mcp safe to use?

io.github.storybookjs/addon-mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.storybookjs/addon-mcp?

io.github.storybookjs/addon-mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with io.github.storybookjs/addon-mcp?

io.github.storybookjs/addon-mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is io.github.storybookjs/addon-mcp actively maintained?

io.github.storybookjs/addon-mcp is actively maintained — last commit was 2 days ago. It has 248 GitHub stars.

io.github.storybookjs/addon-mcp

Official

pnpm

Help agents automatically write and test stories for your UI components.

248 103.2M/wk 0 tools GitHub npm

No known CVEs

No license

Actively maintained

Last commit 2d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Developer Tools

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-storybookjs-addon-mcp": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-storybookjs-addon-mcp)](https://mcppedia.org/s/io-github-storybookjs-addon-mcp)

Read me

What io.github.storybookjs/addon-mcp does

Welcome to the Storybook MCP Addon monorepo! This project enables AI agents to work more efficiently with Storybook by providing an MCP (Model Context Protocol) server that exposes UI component information and development workflows.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

63/100across 5 weighted dimensions

How we score →

0255075100

−37

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.storybookjs/addon-mcp safe to use?: io.github.storybookjs/addon-mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.storybookjs/addon-mcp?: io.github.storybookjs/addon-mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with io.github.storybookjs/addon-mcp?: io.github.storybookjs/addon-mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is io.github.storybookjs/addon-mcp actively maintained?: io.github.storybookjs/addon-mcp is actively maintained — last commit was 2 days ago. It has 248 GitHub stars.

Similar servers

Others in developer-tools

View all →

XcodeBuildMCP97

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

5.8k 1

XcodeBuildMCP97

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

5.8k 2

Mcp_agent_mail96

Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite

2.0k 6

Figma Console Mcp96

MCP server for accessing Figma plugin console logs and screenshots via Cloudflare Workers or local mode

1.8k 2

MCP Security Weekly

Get CVE alerts and security updates for io.github.storybookjs/addon-mcp and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Developer Tools

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "io-github-storybookjs-addon-mcp": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/io-github-storybookjs-addon-mcp)](https://mcppedia.org/s/io-github-storybookjs-addon-mcp)

Read me

What io.github.storybookjs/addon-mcp does

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

Storybook MCP - Contributor Guide

📦 Packages

This monorepo contains five main packages:

@storybook/mcp - Standalone MCP library for serving Storybook component knowledge (can be used independently)
@storybook/addon-mcp - Storybook addon that runs an MCP server within your Storybook dev server, and includes the functionality of @storybook/mcp from your local Storybook
@storybook/mcp-proxy - Stable MCP proxy package for Storybook agent integrations
@storybook/claude-code-plugin - Claude Code plugin with Storybook setup skills and MCP configuration that starts @storybook/mcp-proxy
@storybook/codex-plugin - Codex plugin with Storybook setup skills and MCP configuration that starts @storybook/mcp-proxy

Each package has its own README with user-facing documentation. This document is for contributors looking to develop, test, or contribute to these packages.

🚀 Quick Start

Testing the Claude and Codex plugins from GitHub

External testers can install the plugin marketplace directly from this repository's main branch. No local clone is required.

Codex

codex plugin marketplace add storybookjs/mcp --ref main
codex plugin add storybook@storybook

Verify the marketplace and plugin:

codex plugin marketplace list
codex plugin list --marketplace storybook

Claude Code

claude plugin marketplace add storybookjs/mcp@main --scope user
claude plugin install storybook@storybook --scope user

Verify the plugin and MCP server:

claude plugin list --json
claude mcp list

claude mcp list should show plugin:storybook:storybook using the @storybook/mcp-proxy preview URL from pkg.pr.new.

The repository intentionally keeps marketplace catalogs in two places. The root catalogs support GitHub installs from storybookjs/mcp; the package-local catalogs support local package development scripts. They should stay identical except for the relative plugin source path, and the package validation checks that they do.

Prerequisites

Node.js 24+ - The project requires Node.js 24 or higher (see .nvmrc)
pnpm 10.19.0+ - Strict package manager requirement (enforced in package.json)

# Use the correct Node version
nvm use

# Install pnpm if you don't have it
npm install -g pnpm@10.19.0

Installation

# Clone the repository
git clone https://github.com/storybookjs/mcp.git
cd addon-mcp

# Install all dependencies (for all packages in the monorepo)
pnpm install

Development Workflow

# Build all packages
pnpm build

# Start development mode (watches for changes in all packages)
pnpm dev

# Run unit tests in watch mode
pnpm test

# Run unit tests once
pnpm test:run

# Run Storybook with the addon for testing
pnpm --filter internal-storybook storybook

The Storybook command starts:

The internal test Storybook instance on http://localhost:6006
The addon in watch mode, so changes are reflected automatically
MCP server available at http://localhost:6006/mcp

🛠️ Common Tasks

Development

The turbo watch build command runs all packages in watch mode, automatically rebuilding when you make changes:

# Start development mode for all packages
pnpm turbo watch build

# This is usually all you need - starts Storybook AND watches addon for changes
pnpm storybook

Building

# Build all packages
pnpm build

Testing

The monorepo uses a centralized Vitest configuration at the root level with projects configured for each package:

# Watch tests across all p

... [View full README on GitHub](https://github.com/storybookjs/mcp#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

63/100across 5 weighted dimensions

How we score →

0255075100

−37

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is io.github.storybookjs/addon-mcp safe to use?: io.github.storybookjs/addon-mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install io.github.storybookjs/addon-mcp?: io.github.storybookjs/addon-mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with io.github.storybookjs/addon-mcp?: io.github.storybookjs/addon-mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is io.github.storybookjs/addon-mcp actively maintained?: io.github.storybookjs/addon-mcp is actively maintained — last commit was 2 days ago. It has 248 GitHub stars.

Similar servers

Others in developer-tools

View all →

XcodeBuildMCP97

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

5.8k 1

XcodeBuildMCP97

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

5.8k 2

Mcp_agent_mail96

Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite

2.0k 6

Figma Console Mcp96

MCP server for accessing Figma plugin console logs and screenshots via Cloudflare Workers or local mode

1.8k 2

MCP Security Weekly

Get CVE alerts and security updates for io.github.storybookjs/addon-mcp and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?