Is Mcp Hooks safe to use?

Mcp Hooks has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Mcp Hooks?

Mcp Hooks supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What can Mcp Hooks do?

Mcp Hooks provides 20 tools: Security, Auditing, Control, Customization, continue and 15 more. See the full tools list on the server page for descriptions and parameters.

What AI clients work with Mcp Hooks?

Mcp Hooks is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Mcp Hooks actively maintained?

Mcp Hooks is actively maintained — last commit was 11 days ago. It has 8 GitHub stars.

Mcp Hooks

Name: Mcp Hooks
Author: civicteam

pnpm · by civicteam

A collection of tools and helpers for creating MCP servers and clients

8 91.2M/wk 20 tools GitHub npm

No known CVEs

MIT license

Actively maintained

Last commit 11d ago

Works with most clients

Transport: stdio, sse, http

20 tools · ~562 tok

Grade B · 0.3% of 200K ctx

Edit this pageView history

Developer Tools Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcp-hooks": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-hooks)](https://mcppedia.org/s/mcp-hooks)

Read me

What Mcp Hooks does

A middleware layer for the Model Context Protocol (MCP) that enables monitoring, validation, and transformation of AI tool interactions.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

86/100across 5 weighted dimensions

How we score →

0255075100

−14

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2source →

Inventory

Tools (20)

Click any tool to inspect its schema.

~562 tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Hooks safe to use?: Mcp Hooks has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp Hooks?: Mcp Hooks supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Mcp Hooks do?: Mcp Hooks provides 20 tools: Security, Auditing, Control, Customization, continue and 15 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Mcp Hooks?: Mcp Hooks is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Hooks actively maintained?: Mcp Hooks is actively maintained — last commit was 11 days ago. It has 8 GitHub stars.

Similar servers

Others in developer-tools / security

View all →

XcodeBuildMCP97

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

5.8k 2

XcodeBuildMCP97

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

5.8k 1

Mcp_agent_mail96

Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite

2.0k 6

Figma Console Mcp96

MCP server for accessing Figma plugin console logs and screenshots via Cloudflare Workers or local mode

1.7k 2

MCP Security Weekly

Get CVE alerts and security updates for Mcp Hooks and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Developer Tools Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "mcp-hooks": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-hooks)](https://mcppedia.org/s/mcp-hooks)

Read me

What Mcp Hooks does

A middleware layer for the Model Context Protocol (MCP) that enables monitoring, validation, and transformation of AI tool interactions.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

Civic MCP Hooks

A middleware layer for the Model Context Protocol (MCP) that enables monitoring, validation, and transformation of AI tool interactions.

Understanding MCP and Why It Needs Hooks

What is MCP?

The Model Context Protocol (MCP) is a standard that allows AI assistants (like Claude) to interact with external tools and services. Think of it as a universal language that lets AI models:

Read and write files
Query databases
Call APIs
Execute code
Access various services

When you use an AI assistant with MCP, it can perform real actions on your behalf, making it incredibly powerful for automation and productivity.

Why Add a Middleware Layer?

While MCP's power is exciting, it also raises important questions:

Security: How do we ensure the AI only accesses what it should?
Auditing: How do we track what actions were taken?
Control: How do we prevent unintended or dangerous operations?
Customization: How do we modify behavior for specific use cases?

This is where hooks come in. Just like web applications use middleware to handle authentication, logging, and request processing, MCP can benefit from a similar pattern.

How This Solution Works

Our approach introduces a "passthrough server" that sits between the AI and the actual MCP tools:

AI Assistant ←→ Passthrough Server ←→ Target MCP Server
                       ↓↑
                    [Hooks]

Here's what happens when the AI wants to use a tool:

1. Request:  AI → Passthrough → Hook 1 → Hook 2 → ... → Target MCP Server
2. Response: AI ← Passthrough ← Hook 2 ← Hook 1 ← ... ← Target MCP Server

The passthrough server:

Intercepts all requests from the AI
Processes them through a chain of hooks
Forwards approved requests to the actual tool
Returns the response (also processed through hooks)

Each hook in the chain can:

Inspect the request (What is the AI trying to do?)
Modify the request (Change parameters, add context)
Approve or Reject the request (Security and validation)
Perform side effects (Audit logging, notifications, analytics)
Transform the response (Format, filter, or enhance results)

Real-World Examples

Why do we need MCP-specific hooks? It's about separation of concerns and the unique challenges of LLM tool use.

The Core Problem: MCP servers are designed to do one thing well - provide tools. They shouldn't be cluttered with authentication logic, audit trails, or context-specific modifications. Additionally, OAuth (which MCP uses) lacks the granularity needed for LLM interactions - there's no way to express "allow file reads but only in the /docs folder" or "allow API calls but rate-limit based on content."

Example 1: LLM-Specific Guardrails

Your MCP file server provides simple file operations. But LLMs need different rules than human users:

Human user: Can precisely click on files they need
LLM: Might try to read entire directory trees to "be helpful"

Guardrail Hook: Limits directory traversal depth, prevents reading 
binary files, and caps file sizes - rules that only make sense for LLMs

The MCP server stays simple, while the hook adds LLM-specific safety rails.

Example 2: Context-Dependent Tool Descriptions and Prompts

The same tool might need different descriptions for different use cases:

Standard fetch tool: "Retrieves web content"

In a research environment:
"Retrieves web content (academic sources preferred, checks Sci-Hub)"

In a corporate environment:
"Retrieves web content (internal wiki only, external sites blocked)"

The Custom Description Hook modifies tool descriptions based on your context - something the original MCP server can't and shouldn't handle.

Example 3: Forcing Transparency with Explain Hook

LLMs can use tools without explaining why. The Explain Hook adds a required "reason" parameter:

Without hook:
AI: execute_sql("DROP TABLE users")

With Explain Ho

... [View full README on GitHub](https://github.com/civicteam/mcp-hooks#readme)

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

86/100across 5 weighted dimensions

How we score →

0255075100

−14

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

Affected: >= 0Fixed in 10.28.2source →

Inventory

Tools (20)

Click any tool to inspect its schema.

~562 tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Hooks safe to use?: Mcp Hooks has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp Hooks?: Mcp Hooks supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Mcp Hooks do?: Mcp Hooks provides 20 tools: Security, Auditing, Control, Customization, continue and 15 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Mcp Hooks?: Mcp Hooks is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Hooks actively maintained?: Mcp Hooks is actively maintained — last commit was 11 days ago. It has 8 GitHub stars.