Is Mcp Musescore safe to use?

Mcp Musescore has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Mcp Musescore?

Mcp Musescore supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What can Mcp Musescore do?

Mcp Musescore provides 25 tools: get_cursor_info, go_to_measure, go_to_beginning_of_score, go_to_final_measure, next_element and 20 more. See the full tools list on the server page for descriptions and parameters.

What AI clients work with Mcp Musescore?

Mcp Musescore is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Mcp Musescore actively maintained?

Mcp Musescore is recently maintained — last commit was 35 days ago. It has 49 GitHub stars.

Mcp Musescore

Name: Mcp Musescore
Author: ghchen99

fastmcp · by ghchen99

A Model Context Protocol (MCP) server that provides programmatic control over MuseScore!

49 25 tools GitHub PyPI

No known CVEs

MIT license

Maintained

Last commit 35d ago

Works with most clients

Transport: stdio, sse, http

25 tools · ~1.3k tok

Grade B · 0.6% of 200K ctx

Edit this pageView history

Entertainment

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "musescore": {
      "args": [
        "/path/to/your/project/server.py"
      ],
      "command": "/path/to/your/project/.venv/bin/python"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-musescore)](https://mcppedia.org/s/mcp-musescore)

Read me

What Mcp Musescore does

A Model Context Protocol (MCP) server that provides programmatic control over MuseScore, via a WebSocket-based plugin system. This allows AI assistants like Claude to compose music, add lyrics, navigate scores, and control MuseScore directly.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

79/100across 5 weighted dimensions

How we score →

0255075100

−21

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

## Technical Description The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urll

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

## Summary While testing the *GitHubProvider* OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. ## Technical Details An adversary can initi

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string. PoC: ```python from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def rol

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the `resource` parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the `base_url` passed to the `OAuthProxy` during initialization. **Affected File:** *https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/oauth_proxy.py#L828* **Affected Code:** ```python self._jwt_issuer:

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

Affected: >= 0Fixed in 2.14.0source →

Inventory

Tools (25)

Click any tool to inspect its schema.

~1.3k tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Musescore safe to use?: Mcp Musescore has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp Musescore?: Mcp Musescore supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Mcp Musescore do?: Mcp Musescore provides 25 tools: get_cursor_info, go_to_measure, go_to_beginning_of_score, go_to_final_measure, next_element and 20 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Mcp Musescore?: Mcp Musescore is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Musescore actively maintained?: Mcp Musescore is recently maintained — last commit was 35 days ago. It has 49 GitHub stars.

Similar servers

Others in entertainment

View all →

com.mux/mcp94

The official MCP Server for the Mux API

179 7

ai.smithery/ChiR24-unreal_mcp_server92

A comprehensive Model Context Protocol (MCP) server that enables AI assistants to control Unreal E…

653 11

Unity Mcp Server92

Unity MCP Server — 268 tools for AI-assisted game development. Connect Claude, Cursor, or any MCP client to Unity Editor & Unity Hub. Scene management, GameObjects, components, builds, profiling, Shader Graph, Amplify, terrain, physics, NavMesh, animation, MPPM multiplayer & more. Free & open source by AnkleBreaker Studio.

193 2

Strudel Mcp Server91

A Model Context Protocol (MCP) server that gives Claude direct control over Strudel.cc for AI-assisted music generation and live coding.

203 34

MCP Security Weekly

Get CVE alerts and security updates for Mcp Musescore and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Entertainment

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "musescore": {
      "args": [
        "/path/to/your/project/server.py"
      ],
      "command": "/path/to/your/project/.venv/bin/python"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-musescore)](https://mcppedia.org/s/mcp-musescore)

Read me

What Mcp Musescore does

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

MuseScore MCP Server

Prerequisites

MuseScore 3.x or 4.x
Python 3.8+
Claude Desktop or compatible MCP client

Setup

1. Install the MuseScore Plugin

First, save the QML plugin code to your MuseScore plugins directory:

macOS: ~/Documents/MuseScore4/Plugins/musescore-mcp-websocket.qml Windows: %USERPROFILE%\Documents\MuseScore4\Plugins\musescore-mcp-websocket.qml Linux: ~/Documents/MuseScore4/Plugins/musescore-mcp-websocket.qml

2. Enable the Plugin in MuseScore

Open MuseScore
Go to Plugins → Plugin Manager
Find "MuseScore API Server" and check the box to enable it
Click OK

3. Setup Python Environment

git clone <your-repo>
cd mcp-agents-demo
python -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate
pip install fastmcp websockets

4. Configure Claude Desktop

Add to your Claude Desktop configuration file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "musescore": {
      "command": "/path/to/your/project/.venv/bin/python",
      "args": [
        "/path/to/your/project/server.py"
      ]
    }
  }
}

Note: Update the paths to match your actual project location.

Running the System

Order of Operations

Start MuseScore first with a score open
Run the MuseScore plugin: Go to Plugins → MuseScore API Server
- You should see console output: "Starting MuseScore API Server on port 8765"
Then start the Python MCP server or restart Claude Desktop

[insert screenshot of different functionality, harmonisation, melodywriting, as zoomed in GIFs]

Development and Testing

For development, use the MCP development tools:

# Install MCP dev tools
pip install mcp

# Test your server
mcp dev server.py

# Check connection status
mcp dev server.py --inspect

Viewing Console Output

To see MuseScore plugin console output, run MuseScore from terminal:

macOS:

/Applications/MuseScore\ 4.app/Contents/MacOS/mscore

Windows:

cd "C:\Program Files\MuseScore 4\bin"
MuseScore.exe

Linux:

musescore4

Features

This MCP server provides comprehensive MuseScore control.

🌟 NEW in this fork: Built-in automatic, flawless multi-voice Polyphony & Temporal layout mapping to LilyPond!

Navigation & Cursor Control

get_cursor_info() - Get current cursor position and selection info
go_to_measure(measure) - Navigate to specific measure
go_to_beginning_of_score() / go_to_final_measure() - Navigate to start/end
next_element() / prev_element() - Move cursor element by element
next_staff() / prev_staff() - Move between staves
select_current_measure() - Select entire current measure
select_custom_range(start_tick, end_tick, start_staff, end_staff) - Slicing tool to extract cross-measure, multi-staff phrasing

Polyphony & LilyPond Integration

Temporal Rhythm Padding: Voices with gaps or rests automatically receive LilyPond spacer sequences (s4.) to hold their mathematical place accurately.
Concurrent Voice Rendering: Full 4-voice (\voiceOne, \voiceTwo, etc.) arrays correctly structured and sharded per staff for advanced Agent processing.

Note & Rest Creation

add_note(pitch, duration, advance_cursor_after_action) - Add notes with MIDI pitch
add_rest(duration, advance_cursor_after_action) - Add rests
add_tuplet(duration, ratio, advance_cursor_after_action) - Add tuplets (triplets, etc.)

Measure Management

insert_measure() - Insert measure at current positi

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

79/100across 5 weighted dimensions

How we score →

0255075100

−21

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

Affected: >= 0Fixed in 2.14.0source →

Inventory

Tools (25)

Click any tool to inspect its schema.

~1.3k tokens total

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp Musescore safe to use?: Mcp Musescore has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp Musescore?: Mcp Musescore supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What can Mcp Musescore do?: Mcp Musescore provides 25 tools: get_cursor_info, go_to_measure, go_to_beginning_of_score, go_to_final_measure, next_element and 20 more. See the full tools list on the server page for descriptions and parameters.
What AI clients work with Mcp Musescore?: Mcp Musescore is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp Musescore actively maintained?: Mcp Musescore is recently maintained — last commit was 35 days ago. It has 49 GitHub stars.