Is X.Com Mcp Server safe to use?

X.Com Mcp Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install X.Com Mcp Server?

X.Com Mcp Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with X.Com Mcp Server?

X.Com Mcp Server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.

Is X.Com Mcp Server actively maintained?

X.Com Mcp Server is less actively maintained — last commit was 360 days ago. It has 8 GitHub stars.

X.Com Mcp Server

Name: X.Com Mcp Server
Author: tiovikram

pnpm · by tiovikram

MCP server implementation for X.com API with OAuth 2.0 support

8 93.4M/wk 0 tools GitHub npm

No known CVEs

No license

Stale

Last commit 360d ago

Works with most clients

Transport: stdio

0 tools

Grade F

Edit this pageView history

Communication Marketing

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "x-com-mcp-server": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/x-com-mcp-server)](https://mcppedia.org/s/x-com-mcp-server)

Read me

What X.Com Mcp Server does

A Model Context Protocol server that provides access to X.com's API capabilities. This server enables LLMs to interact with X.com (formerly Twitter) through OAuth 2.0 authentication, supporting all major Post-related operations including reading, writing, searching, and managing posts, likes, retweets, and bookmarks.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

### Summary When pnpm processes a package's `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `"directories": {"bin": "../../../../tmp"}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. **Note:** Only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). ### Details Vulnerable code in `pkg-manager/package-bins/src

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

### Summary A path traversal vulnerability in pnpm's binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip's `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outsid

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

### Summary A path traversal vulnerability in pnpm's tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.\`. On Windows, backslashes are directory separators, enabling path traversal. **This vulnerability is Windows-only.** ### Details **1. Incomplete Path Normalization (`store/cafs/src/parseTarball.ts:107-110`)** ```typescript if (fileName.includes('./')) { fileName = path.posix.join('/'

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

### Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. ### Details The vulnerability exists in the bin name validation and normalization logic: **1. Validation Bypass (`pkg-manager/package-bins/src/index.ts`)** The filter allows any bin name starting wit

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

### Summary When pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data. **Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affe

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is X.Com Mcp Server safe to use?: X.Com Mcp Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install X.Com Mcp Server?: X.Com Mcp Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with X.Com Mcp Server?: X.Com Mcp Server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is X.Com Mcp Server actively maintained?: X.Com Mcp Server is less actively maintained — last commit was 360 days ago. It has 8 GitHub stars.

Similar servers

Others in communication / marketing

View all →

Mcp_agent_mail96

Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite

2.0k 6

Mcp Server Typescript94

DataForSEO API modelcontextprotocol server

206 9

Mac_messages_mcp93

An MCP server that securely interfaces with your iMessage database via the Model Context Protocol (MCP), allowing LLMs to query and analyze iMessage conversations. It includes robust phone number validation, attachment processing, contact management, group chat handling, and full support for sending and receiving messages.

289 4

Wechatsync92

一键同步文章到多个内容平台，支持今日头条、WordPress、知乎、简书、掘金、CSDN、typecho各大平台，一次发布，多平台同步发布。解放个人生产力

5.6k 5

MCP Security Weekly

Get CVE alerts and security updates for X.Com Mcp Server and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Communication Marketing

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "x-com-mcp-server": {
      "args": [
        "-y",
        "pnpm"
      ],
      "command": "npx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/x-com-mcp-server)](https://mcppedia.org/s/x-com-mcp-server)

Read me

What X.Com Mcp Server does

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

X.com MCP Server

Features

OAuth 2.0 Authentication - Secure Bearer token authentication
Complete Post API Coverage - All X.com Post endpoints from the official API
Type Safety - Full TypeScript implementation with Zod validation
Comprehensive Tools - 21 tools covering all major X.com operations

Available Tools

Lookup

getSinglePost - Retrieve a single post by ID with optional field expansions
getBulkPosts - Retrieve up to 100 posts by their IDs

Manage Posts

createPost - Create a new post with text, media, polls, replies, etc.
deletePost - Delete a post by ID
hideReply - Hide or unhide a reply to a post

Timelines

getUserTimeline - Get a user's timeline of posts
getUserMentions - Get posts that mention a specific user

Search

searchRecent - Search recent posts (last 7 days)
searchAll - Search all posts (full archive - requires Academic/Enterprise access)

Post Counts

getPostCountsRecent - Get time-bucketed post counts for recent posts
getPostCountsAll - Get time-bucketed post counts for all posts (Academic/Enterprise)

Retweets

getRetweets - Get posts that retweet a specific post
createRetweet - Retweet a post
deleteRetweet - Remove a retweet

Likes

getLikingUsers - Get users who liked a specific post
getLikedTweets - Get posts that a user has liked
likePost - Like a post
unlikePost - Unlike a post

Bookmarks

getUserBookmarks - Get a user's bookmarked posts
bookmarkPost - Bookmark a post
removeBookmark - Remove a bookmark

Installation

Using pnpm (recommended)

pnpm install
pnpm run build

After installation, you can run it using:

node dist/index.js

Using Docker

docker build -t x.com-mcp .
docker run -i --rm -e X_COM_ACCESS_TOKEN=your-access-token x.com-mcp

Configuration

Environment Variables

X_COM_ACCESS_TOKEN (required): Your X.com OAuth 2.0 access token

Authentication Setup

Create an X.com Developer Account at developer.x.com
Create a new project and app
Generate OAuth 2.0 credentials
Implement the OAuth 2.0 Authorization Code with PKCE flow
Store the resulting access token as X_COM_ACCESS_TOKEN

Configure for Claude.app

Add to your Claude settings:

Using pnpm

"mcpServers": {
  "x-com": {
    "command": "node",
    "args": ["dist/index.js"],
    "env": {
      "X_COM_ACCESS_TOKEN": "your-access-token"
    }
  }
}

Using Docker

"mcpServers": {
  "x-com": {
    "command": "docker",
    "args": ["run", "-i", "--rm", "-e", "X_COM_ACCESS_TOKEN=your-access-token", "x.com-mcp"]
  }
}

Example Interactions

Create a post:

{
  "name": "createPost",
  "arguments": {
    "text": "Hello world! This is my first post via the MCP server.",
    "reply_settings": "everyone"
  }
}

Search recent posts:

{
  "name": "searchRecent",
  "arguments": {
    "query": "artificial intelligence",
    "max_results": 10,
    "tweet.fields": "created_at,author_id,public_metrics"
  }
}

Get user timeline:

{
  "name": "getUserTimeline",
  "arguments": {
    "id": "123456789",
    "max_results": 20,
    "expansions": "author_id"
  }
}

Like a post:

{
  "name": "likePost",
  "arguments": {
    "user_id": "123456789",
    "tweet_id": "987654321"
  }
}

Get post counts:

{
  "name": "getPostCountsRecent",
  "arguments": {
    "query": "machine learning",
    "granularity": "day"
  }
}

API Endpoint

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

12 fixed

CVE-2026-24131medium · fixedCVSS 4

pnpm has Path Traversal via arbitrary file permission modification

Affected: >= 0Fixed in 10.28.2source →

CVE-2026-23888low · fixedCVSS 3.1

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23889low · fixedCVSS 3.1

pnpm has Windows-specific tarball Path Traversal

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-23890low · fixedCVSS 3.1

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Affected: >= 0Fixed in 10.28.1source →

CVE-2026-24056low · fixedCVSS 3.1

pnpm has symlink traversal in file:/git dependencies

Affected: >= 0Fixed in 10.28.2source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is X.Com Mcp Server safe to use?: X.Com Mcp Server has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.
How do I install X.Com Mcp Server?: X.Com Mcp Server supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with X.Com Mcp Server?: X.Com Mcp Server is compatible with claude-desktop, cursor, claude-code. It uses stdio transport.
Is X.Com Mcp Server actively maintained?: X.Com Mcp Server is less actively maintained — last commit was 360 days ago. It has 8 GitHub stars.