Is Mcp Hacker News safe to use?

Mcp Hacker News has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install Mcp Hacker News?

Mcp Hacker News supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with Mcp Hacker News?

Mcp Hacker News is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Mcp Hacker News actively maintained?

Mcp Hacker News is less actively maintained — last commit was 355 days ago. It has 32 GitHub stars.

Mcp Hacker News

Name: Mcp Hacker News
Author: paabloLC

pnpm · by paabloLC

This MCP server acts as a bridge between the official Hacker News API and AI-powered tools that support the Model Context Protocol, such as Claude and Cursor.

32 93.4M/wk 0 tools GitHub npm

No known CVEs

No license

Stale

Last commit 355d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcp-hacker-news": {
      "args": [
        "-y",
        "mcp-hacker-news"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-hacker-news)](https://mcppedia.org/s/mcp-hacker-news)

Read me

What Mcp Hacker News does

A Model Context Protocol (MCP) server for Hacker News built with TypeScript.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

51/100across 5 weighted dimensions

How we score →

0255075100

−49

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Hacker News safe to use?: Mcp Hacker News has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Mcp Hacker News?: Mcp Hacker News supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Mcp Hacker News?: Mcp Hacker News is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Hacker News actively maintained?: Mcp Hacker News is less actively maintained — last commit was 355 days ago. It has 32 GitHub stars.

Similar servers

Others in search

View all →

Brave Search MCP Server98

Web and local search using Brave Search API

86.5k 2

Tavily Mcp96

Production ready MCP server with real-time search, extract, map & crawl.

2.0k 4

Qmd95

mini cli search engine for your docs, knowledge bases, meeting notes, whatever. Tracking current sota approaches while being all local

25.8k 4

Firecrawl Mcp95

MCP server for Firecrawl — search, scrape, and interact with the web. Supports both cloud and self-hosted instances. Features include web search, scraping, page interaction, batch processing, and LLM-powered content analysis.

6.4k 5

MCP Security Weekly

Get CVE alerts and security updates for Mcp Hacker News and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcp-hacker-news": {
      "args": [
        "-y",
        "mcp-hacker-news"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-hacker-news)](https://mcppedia.org/s/mcp-hacker-news)

Read me

What Mcp Hacker News does

A Model Context Protocol (MCP) server for Hacker News built with TypeScript.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

mcp-hacker-news

A Model Context Protocol (MCP) server for Hacker News built with TypeScript.

This MCP server acts as a bridge between the official Hacker News API and AI-powered tools that support the Model Context Protocol, such as Claude and Cursor.

It enables these tools to fetch and interact with live Hacker News data (posts, comments, users) via standardized MCP endpoints.

Using with Claude Desktop or Cursor

Add to your Claude desktop config (claude_desktop_config.json) or your Cursor config file (mcp.json) :

{
  "mcpServers": {
    "mcp-hacker-news": {
      "command": "npx",
      "args": ["-y", "mcp-hacker-news"]
    }
  }
}

Features

Integrates with the official Hacker News API to fetch posts, comments, and user information.
Exposes standard Model Context Protocol endpoints for seamless integration with Claude, Cursor, and other LLM-based tools.
Fetches the latest Hacker News data for AI and automation workflows.

Requirements

Node.js version 18 or higher is required.
npm or pnpm as a package manager.

⚠️ If you are unsure about your Node.js version, run node --version in your terminal. Make sure it shows v18.x.x or higher.
How to upgrade Node.js

Want to contribute? Just follow the steps below

Clone the repository and install dependencies:

git clone https://github.com/paablolc/mcp-hacker-news.git
cd mcp-hacker-news
pnpm install
pnpm build

To test the server with the MCP Inspector:

pnpm inspector

or, if running from the source:

npx @modelcontextprotocol/inspector node dist/index.js

Resources

This MCP server exposes the following fixed resources, each corresponding to a core Hacker News endpoint:

Resource URI	Description	Hacker News API Endpoint
`hackernews://top`	Top stories	`/v0/topstories`
`hackernews://new`	Newest stories	`/v0/newstories`
`hackernews://best`	Best (algorithmic) stories	`/v0/beststories`

These three collections match the main list endpoints officially provided by the Hacker News API.
Other types of stories (Ask HN, Show HN, Jobs, etc.) and item-specific lookups are available as tools (see below), allowing for flexible querying with custom parameters.

Tools

The following tools are available for advanced or parameterized queries. These allow you to fetch other Hacker News content beyond the fixed resources above:

Tool Name	Description
`getTopStories`	Fetch top stories (customizable limit)
`getBestStories`	Fetch best stories (customizable limit)
`getNewStories`	Fetch newest stories (customizable limit)
`getAskHNStories`	Fetch "Ask HN" posts
`getShowHNStories`	Fetch "Show HN" posts
`getJobStories`	Fetch job postings
`getItem`	Retrieve a specific item (story, comment, etc.)
`getUser`	Retrieve a user pro

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

51/100across 5 weighted dimensions

How we score →

0255075100

−49

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Hacker News safe to use?: Mcp Hacker News has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install Mcp Hacker News?: Mcp Hacker News supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Mcp Hacker News?: Mcp Hacker News is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Hacker News actively maintained?: Mcp Hacker News is less actively maintained — last commit was 355 days ago. It has 32 GitHub stars.