Is Strava Mcp safe to use?

Strava Mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Strava Mcp?

Strava Mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with Strava Mcp?

Strava Mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Strava Mcp actively maintained?

Strava Mcp is not actively maintained — last commit was 410 days ago. It has 26 GitHub stars.

Strava Mcp

Name: Strava Mcp
Author: kw510

wrangler · by kw510

A Model Context Protocol (MCP) server with Strava OAuth integration, built on Cloudflare Workers. Enables secure authentication and tool access for MCP clients like Claude and Cursor through Strava login. Perfect for developers looking to integrate Strava authentication with AI tools.

26 21.3M/wk 0 tools GitHub npm

No known CVEs

MIT license

Stale

Last commit 410d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Health

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "strava-mcp": {
      "args": [
        "mcp-remote",
        "https://mcp-strava-oauth.<your-subdomain>.workers.dev/sse"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/strava-mcp)](https://mcppedia.org/s/strava-mcp)

Read me

What Strava Mcp does

This is a Model Context Protocol (MCP) server that supports remote MCP connections, with Strava OAuth built-in. It allows users to connect to your MCP server by signing in with their Strava account.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'wrangler' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

53/100across 5 weighted dimensions

How we score →

0255075100

−47

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

4 fixed

CVE-2026-0933medium · fixedCVSS 4

Wrangler affected by OS Command Injection in `wrangler pages deploy`

**Summary** A command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler. **Root cause** The `commitHash` variable, derived from user input via the `--commit-hash` CLI argument, is interpolated directl

Affected: >= 2.0.15Fixed in 3.114.17source →

CVE-2023-7080low · fixedCVSS 3.1

Arbitrary remote code execution within `wrangler dev` Workers sandbox

### Impact The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. `wrangler dev` would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate `Origin`/`Host` headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability

Affected: >= 3.0.0Fixed in 3.19.0source →

CVE-2023-7079low · fixedCVSS 3.1

Arbitrary remote file read in Wrangler dev server

### Impact Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network. An attacker that could trick any user on the local network into opening a malicious website could also read any file. ### Patches This issue was fixed in `wrangler@3.19.0`. Wrangler will now only serve files that are part of your bundle, or referenced by your bundle's source maps. ### Workarounds Configure Wr

Affected: >= 3.9.0Fixed in 3.19.0source →

CVE-2023-3348low · fixedCVSS 3.1

Cloudflare Wrangler directory traversal vulnerability

### Impact The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server. ### Patches Wrangler2: Upgrade to v2.20.1 or higher. Wrangler3: Upgrade to v3

Affected: >= 0Fixed in 2.20.1source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Strava Mcp safe to use?: Strava Mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Strava Mcp?: Strava Mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Strava Mcp?: Strava Mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Strava Mcp actively maintained?: Strava Mcp is not actively maintained — last commit was 410 days ago. It has 26 GitHub stars.

Similar servers

Others in health

View all →

io.github.wso2/fhir-mcp-server93

MCP server providing seamless access to FHIR APIs for AI tools and healthcare applications

121 5

Clinicaltrialsgov Mcp Server92

MCP server for the ClinicalTrials.gov v2 API. Search trials, retrieve study details and results, and match patients to eligible trials.

76 7

Hevy Mcp90

Manage your Hevy workouts, routines, folders, and exercise templates. Create and update sessions faster, organize plans, and search exercises to build workouts quickly. Stay synced with changes so your training log is always up to date.

247 19

io.github.YasuakiOmokawa/oura-mcp89

MCP server for Oura Ring API v2 (sleep, activity, readiness, heart rate, workouts).

1 5

MCP Security Weekly

Get CVE alerts and security updates for Strava Mcp and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Health

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "strava-mcp": {
      "args": [
        "mcp-remote",
        "https://mcp-strava-oauth.<your-subdomain>.workers.dev/sse"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/strava-mcp)](https://mcppedia.org/s/strava-mcp)

Read me

What Strava Mcp does

This is a Model Context Protocol (MCP) server that supports remote MCP connections, with Strava OAuth built-in. It allows users to connect to your MCP server by signing in with their Strava account.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'wrangler' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

Model Context Protocol (MCP) Server + Strava OAuth

This is a Model Context Protocol (MCP) server that supports remote MCP connections, with Strava OAuth built-in. It allows users to connect to your MCP server by signing in with their Strava account.

Overview

The MCP server (powered by Cloudflare Workers) serves two roles:

Acts as an OAuth Server for your MCP clients
Acts as an OAuth Client for Strava's OAuth services

This project serves as a reference example for integrating OAuth providers with an MCP server deployed to Cloudflare, using the workers-oauth-provider library.

Prerequisites

A Strava account
A Cloudflare account
Node.js and npm installed
Wrangler CLI installed (npm install -g wrangler)

Quick Start

Clone the repository:

git clone https://github.com/kw510/strava-mcp.git
cd strava-mcp
npm install

Set up your Strava API credentials (see Setting Up Strava API Credentials)
Set up your Cloudflare KV namespace:
```
wrangler kv:namespace create "OAUTH_KV"
```
Update the wrangler.toml file with the generated KV ID.
Deploy to Cloudflare:
```
wrangler deploy
```

Setting Up Strava API Credentials

For Production

Go to Strava's API Settings and create a new application
Configure your application:
- Application Name: Choose a name for your application
- Category: Select an appropriate category
- Website: Your website URL
- Application Description: Brief description of your application
- Authorization Callback Domain: mcp-strava-oauth.<your-subdomain>.workers.dev
- Authorization Callback URL: https://mcp-strava-oauth.<your-subdomain>.workers.dev/callback

Set your production environment variables:

wrangler secret put STRAVA_CLIENT_ID
wrangler secret put STRAVA_CLIENT_SECRET

For Development

Create a separate Strava API application for development
Configure your development application:
- Authorization Callback Domain: localhost
- Authorization Callback URL: http://localhost:8788/callback

Create a .dev.vars file in your project root:

STRAVA_CLIENT_ID=your_development_strava_client_id
STRAVA_CLIENT_SECRET=your_development_strava_client_secret

Testing Your MCP Server

Using Inspector

Install the Inspector tool:

npx @modelcontextprotocol/inspector@latest

Connect to your server:
- For production: https://mcp-strava-oauth.<your-subdomain>.workers.dev/sse
- For development: http://localhost:8788/sse

Using Claude Desktop

Open Claude Desktop and go to Settings -> Developer -> Edit Config

Add your MCP server configuration:

{
  "mcpServers": {
    "strava": {
      "command": "npx",
      "args": [
        "mcp-remote",
        "https://mcp-strava-oauth.<your-subdomain>.workers.dev/sse"
      ]
    }
  }
}

Restart Claude Desktop and complete the OAuth flow

Development

Local Development

Start the development server:
```
wrangler dev
```
The server will be available at http://localhost:8788

API Rate Limits

The Strava API has the following rate limits:

200 requests every 15 minutes
2,000 requests per day

How It Works

OAuth Provider

The OAuth Provider library handles:

OAuth 2.1 server implementation
Token issuance and validation
Secure token storage in KV
Strava OAuth integration

Durable MCP

Provides:

Persistent state management
Secure authentication context storage
User information access via this.props
Conditional tool availability

MCP Remote

Enables:

Client-server communication
Tool definition and management
Request

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

53/100across 5 weighted dimensions

How we score →

0255075100

−47

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

4 fixed

CVE-2026-0933medium · fixedCVSS 4

Wrangler affected by OS Command Injection in `wrangler pages deploy`

Affected: >= 2.0.15Fixed in 3.114.17source →

CVE-2023-7080low · fixedCVSS 3.1

Arbitrary remote code execution within `wrangler dev` Workers sandbox

Affected: >= 3.0.0Fixed in 3.19.0source →

CVE-2023-7079low · fixedCVSS 3.1

Arbitrary remote file read in Wrangler dev server

Affected: >= 3.9.0Fixed in 3.19.0source →

CVE-2023-3348low · fixedCVSS 3.1

Cloudflare Wrangler directory traversal vulnerability

Affected: >= 0Fixed in 2.20.1source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Strava Mcp safe to use?: Strava Mcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Strava Mcp?: Strava Mcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Strava Mcp?: Strava Mcp is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Strava Mcp actively maintained?: Strava Mcp is not actively maintained — last commit was 410 days ago. It has 26 GitHub stars.