这是一个MCP客户端,让你轻松配置各个大模型,对接各种MCP Server而开发。This is an MCP client that allows you to easily configure various large models and develop interfaces with various MCP servers.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"MCP_SERVER_NAME": {
"url": "YOUR_SSE_SERVER_URL",
"enabled": true,
"transport": "sse"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP-X is an open-source MCP Host Desktop Application that seamlessly integrates with any LLMs supporting function calling capabilities. ✨
This server supports HTTP transport. Be the first to test it — help the community know if it works.
Five weighted categories — click any category to see the underlying evidence.
yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
### Summary yt-dlp's `--exec` option is vulnerable to arbitrary command injection when handling untrusted metadata if the argument uses standard string formatting (e.g. `%(title)s`) or other unsafe conversions. An attacker could achieve remote code execution on the user's machine via maliciously crafted metadata containing quotes or other special shell characters. ### Details Since yt-dlp version 2021.04.11, the `--exec` option has supported "output template syntax", which is a superset of Pyth
yt-dlp: Arbitrary code execution via manifest downloads with aria2c
### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. ### Details When downloading a fragmented manifest format such as an HLS or DASH strea
yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as `.exe` or `.sh`) during file downloads. However, this allowlist explicitly included the unsafe extensions `.desktop`, `.ur
yt-dlp: File Downloader cookie leak with curl
### Summary If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. This is the equivalent to [GHSA-v8mc-9377-rwjj](<https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj>) for the `curl` downloader. The vulnerable behavior is present in [yt-dlp](https://github.com/yt-dlp/yt-dlp) released since 2023.09.24. ### Details At the file download st
yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
### Summary When yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. ### Impact yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
An open-source AI agent that brings the power of Gemini directly into your terminal.
MCP Security Weekly
Get CVE alerts and security updates for MCP X and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
MCP-X is an open-source MCP Host Desktop Application that seamlessly integrates with any LLMs supporting function calling capabilities. ✨

MCP-X good at agent and understanding various types of content through its powerful AI agents. Here's an example of food content agent:

Key Features Demonstrated:
Perfect for:
This showcases how MCP-X can transform simple queries into detailed, actionable insights across various domains.
We've just rolled out major updates to improve your experience:
MCP-X now supports powerful knowledge base management!
MCP-X as a full-fledged AI agent platform.
We've redesigned the app to be cleaner and more intuitive.
This update also includes a move to a more professional icon set (react-icons) and various under-the-hood CSS and component optimizations for better performance.