Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"x-com-mcp-server": {
"args": [
"-y",
"pnpm"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
A Model Context Protocol server that provides access to X.com's API capabilities. This server enables LLMs to interact with X.com (formerly Twitter) through OAuth 2.0 authentication, supporting all major Post-related operations including reading, writing, searching, and managing posts, likes, retweets, and bookmarks.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'pnpm' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
## Summary `pnpm` accepts package names from the env lockfile `configDependencies` section and uses those names directly when creating config dependency symlinks under `node_modules/.pnpm-config`. A malicious repository can commit a crafted `pnpm-lock.yaml` whose env-lockfile document contains a traversal-shaped config dependency name such as `../../PWNED_CFGDEP`. During `pnpm install`, pnpm installs the config dependency and creates a symlink at a path derived from that name. In local testin
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: `patch-remove` could delete project-selected files outside the patches directory
## Summary The `patch-remove` deletion-scope issue tracked as GHSA-72r4-9c5j-mj57 / CAND-PNPM-030 has been addressed in pnpm. A crafted patch entry could resolve outside the configured patches directory and cause `pnpm patch-remove` to delete an arbitrary reachable file. This patch validates the configured directory and every resolved target before unlinking anything, then deletes the final directory entry without following it. ## Security boundary - Traversal and absolute paths that resolve
pnpm: Hoisted install imports lockfile alias outside node_modules
## Summary The hoisted dependency alias issue tracked as GHSA-fr4h-3cph-29xv / CAND-PNPM-059 has been addressed in both pnpm and pacquet. A crafted lockfile alias could be joined directly under a hoisted `node_modules` directory. Traversal aliases could escape that directory, while reserved aliases such as `.bin` or `.pnpm` could overwrite pnpm-owned layout. This patch validates package-name semantics and path containment before graph insertion or filesystem work. ## Security boundary - The
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in communication / marketing
Asynchronous coordination layer for AI coding agents: identities, inboxes, searchable threads, and advisory file leases over FastMCP + Git + SQLite
DataForSEO API modelcontextprotocol server
PubNub Model Context Protocol MCP Server for Cursor and Claude
MCP server for Yandex.Direct API — campaigns, ads, statistics, keywords. Bearer token auth.
MCP Security Weekly
Get CVE alerts and security updates for X.Com Mcp Server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
A Model Context Protocol server that provides access to X.com's API capabilities. This server enables LLMs to interact with X.com (formerly Twitter) through OAuth 2.0 authentication, supporting all major Post-related operations including reading, writing, searching, and managing posts, likes, retweets, and bookmarks.
getSinglePost - Retrieve a single post by ID with optional field expansionsgetBulkPosts - Retrieve up to 100 posts by their IDscreatePost - Create a new post with text, media, polls, replies, etc.deletePost - Delete a post by IDhideReply - Hide or unhide a reply to a postgetUserTimeline - Get a user's timeline of postsgetUserMentions - Get posts that mention a specific usersearchRecent - Search recent posts (last 7 days)searchAll - Search all posts (full archive - requires Academic/Enterprise access)getPostCountsRecent - Get time-bucketed post counts for recent postsgetPostCountsAll - Get time-bucketed post counts for all posts (Academic/Enterprise)getRetweets - Get posts that retweet a specific postcreateRetweet - Retweet a postdeleteRetweet - Remove a retweetgetLikingUsers - Get users who liked a specific postgetLikedTweets - Get posts that a user has likedlikePost - Like a postunlikePost - Unlike a postgetUserBookmarks - Get a user's bookmarked postsbookmarkPost - Bookmark a postremoveBookmark - Remove a bookmarkpnpm install
pnpm run build
After installation, you can run it using:
node dist/index.js
docker build -t x.com-mcp .
docker run -i --rm -e X_COM_ACCESS_TOKEN=your-access-token x.com-mcp
X_COM_ACCESS_TOKEN (required): Your X.com OAuth 2.0 access tokenX_COM_ACCESS_TOKENAdd to your Claude settings:
"mcpServers": {
"x-com": {
"command": "node",
"args": ["dist/index.js"],
"env": {
"X_COM_ACCESS_TOKEN": "your-access-token"
}
}
}
"mcpServers": {
"x-com": {
"command": "docker",
"args": ["run", "-i", "--rm", "-e", "X_COM_ACCESS_TOKEN=your-access-token", "x.com-mcp"]
}
}
{
"name": "createPost",
"arguments": {
"text": "Hello world! This is my first post via the MCP server.",
"reply_settings": "everyone"
}
}
{
"name": "searchRecent",
"arguments": {
"query": "artificial intelligence",
"max_results": 10,
"tweet.fields": "created_at,author_id,public_metrics"
}
}
{
"name": "getUserTimeline",
"arguments": {
"id": "123456789",
"max_results": 20,
"expansions": "author_id"
}
}
{
"name": "likePost",
"arguments": {
"user_id": "123456789",
"tweet_id": "987654321"
}
}
{
"name": "getPostCountsRecent",
"arguments": {
"query": "machine learning",
"granularity": "day"
}
}