Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"mcp-hooks": {
"args": [
"-y",
"pnpm"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A middleware layer for the Model Context Protocol (MCP) that enables monitoring, validation, and transformation of AI tool interactions.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: Hoisted install imports lockfile alias outside node_modules
## Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted `node_modules` directory. Traversal aliases could escape that directory, while reserved aliases such as `.bin` or `.pnpm` could overwrite pnpm-owned layout. This patch validates package-name semantics and path containment before graph insertion or filesystem work. ## Security boundary - The
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in developer-tools / security
Copy/paste detector for programming source code, supports 223 formats. AI-ready with token-efficient reporter, skill and MCP server.
XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
Manage Supabase projects — databases, auth, storage, and edge functions
MCP Security Weekly
Get CVE alerts and security updates for Mcp Hooks and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A middleware layer for the Model Context Protocol (MCP) that enables monitoring, validation, and transformation of AI tool interactions.
The Model Context Protocol (MCP) is a standard that allows AI assistants (like Claude) to interact with external tools and services. Think of it as a universal language that lets AI models:
When you use an AI assistant with MCP, it can perform real actions on your behalf, making it incredibly powerful for automation and productivity.
While MCP's power is exciting, it also raises important questions:
This is where hooks come in. Just like web applications use middleware to handle authentication, logging, and request processing, MCP can benefit from a similar pattern.
Our approach introduces a "passthrough server" that sits between the AI and the actual MCP tools:
AI Assistant ←→ Passthrough Server ←→ Target MCP Server
↓↑
[Hooks]
Here's what happens when the AI wants to use a tool:
1. Request: AI → Passthrough → Hook 1 → Hook 2 → ... → Target MCP Server
2. Response: AI ← Passthrough ← Hook 2 ← Hook 1 ← ... ← Target MCP Server
The passthrough server:
Each hook in the chain can:
Why do we need MCP-specific hooks? It's about separation of concerns and the unique challenges of LLM tool use.
The Core Problem: MCP servers are designed to do one thing well - provide tools. They shouldn't be cluttered with authentication logic, audit trails, or context-specific modifications. Additionally, OAuth (which MCP uses) lacks the granularity needed for LLM interactions - there's no way to express "allow file reads but only in the /docs folder" or "allow API calls but rate-limit based on content."
Example 1: LLM-Specific Guardrails
Your MCP file server provides simple file operations. But LLMs need different rules than human users:
Human user: Can precisely click on files they need
LLM: Might try to read entire directory trees to "be helpful"
Guardrail Hook: Limits directory traversal depth, prevents reading
binary files, and caps file sizes - rules that only make sense for LLMs
The MCP server stays simple, while the hook adds LLM-specific safety rails.
Example 2: Context-Dependent Tool Descriptions and Prompts
The same tool might need different descriptions for different use cases:
Standard fetch tool: "Retrieves web content"
In a research environment:
"Retrieves web content (academic sources preferred, checks Sci-Hub)"
In a corporate environment:
"Retrieves web content (internal wiki only, external sites blocked)"
The Custom Description Hook modifies tool descriptions based on your context - something the original MCP server can't and shouldn't handle.
Example 3: Forcing Transparency with Explain Hook
LLMs can use tools without explaining why. The Explain Hook adds a required "reason" parameter:
Without hook:
AI: execute_sql("DROP TABLE users")
With Explain Ho
... [View full README on GitHub](https://github.com/civicteam/mcp-hooks#readme)