github · ssh-client-mcp99258b2feb19

Evidence

path: listing.path,

        count: listing.count,

        entries: listing.entries.map(e => ({

          name: e.filename,

          type: e.isDirectory ? 'directory' : e.isSymbolicLink ? 'symlink' : 'file',

          size: e.size,

          permissions: e.permissions.toString(8),

Remediation

Namespace tool names with a server-specific prefix (`acme_read_file` instead of `read_file`). Reserve generic verbs only for servers whose identity the operator has verified. The authoritative reserved-names corpus lives at `_shared/popular-tool-names/v1/names.yaml` — bump to v2 of the corpus when adding/removing names.

Evidence

});

    },

    /**

     * Execute a command with sudo

     */

    async sudoExec(input: SudoExecInput): Promise<string> {

Remediation

Namespace tool names with a server-specific prefix (`acme_read_file` instead of `read_file`). Reserve generic verbs only for servers whose identity the operator has verified. The authoritative reserved-names corpus lives at `_shared/popular-tool-names/v1/names.yaml` — bump to v2 of the corpus when adding/removing names.

Evidence

return JSON.stringify({

        success: true,

        message: `Created directory ${path}`

      });

    },

Remediation

Namespace tool names with a server-specific prefix (`acme_read_file` instead of `read_file`). Reserve generic verbs only for servers whose identity the operator has verified. The authoritative reserved-names corpus lives at `_shared/popular-tool-names/v1/names.yaml` — bump to v2 of the corpus when adding/removing names.

Evidence

const session = sessionManager.getSession(sessionId);

      await SFTPOperations.downloadFile(session, remotePath, localPath, { overwrite });

      return JSON.stringify({

        success: true,

        message: `Downloaded ${remotePath} to ${localPath}`

      });

Remediation

Namespace tool names with a server-specific prefix (`acme_read_file` instead of `read_file`). Reserve generic verbs only for servers whose identity the operator has verified. The authoritative reserved-names corpus lives at `_shared/popular-tool-names/v1/names.yaml` — bump to v2 of the corpus when adding/removing names.

Evidence

},

    /**

     * Remove file or directory

     */

    async rm(input: RmInput): Promise<string> {

      const { sessionId, path, recursive } = input;

Remediation

Either remove the undeclared side effect or amend the tool description + input schema to disclose it. Add machine-readable `destructiveHint`, `networkHint`, `filesystemHint` annotations when the MCP spec supports them.

Evidence

const session = sessionManager.getSession(sessionId);

      await SFTPOperations.uploadFile(session, localPath, remotePath, { overwrite });

      return JSON.stringify({

        success: true,

        message: `Uploaded ${localPath} to ${remotePath}`

      });

Remediation

Either remove the undeclared side effect or amend the tool description + input schema to disclose it. Add machine-readable `destructiveHint`, `networkHint`, `filesystemHint` annotations when the MCP spec supports them.

Evidence

* Download file

     */

    async download(input: DownloadInput): Promise<string> {

      const { sessionId, remotePath, localPath, overwrite } = input;

      const session = sessionManager.getSession(sessionId);

      await SFTPOperations.downloadFile(session, remotePath, localPath, { overwrite });

Remediation

Either remove the undeclared side effect or amend the tool description + input schema to disclose it. Add machine-readable `destructiveHint`, `networkHint`, `filesystemHint` annotations when the MCP spec supports them.

Evidence

size: e.size,

          permissions: e.permissions.toString(8),

          modified: e.modifyTime.toISOString()

        }))

      });

    },

Remediation

Either remove the undeclared side effect or amend the tool description + input schema to disclose it. Add machine-readable `destructiveHint`, `networkHint`, `filesystemHint` annotations when the MCP spec supports them.

Evidence

const session = sessionManager.getSession(sessionId);

      const listing = await SFTPOperations.listDirectory(session, path);

      return JSON.stringify({

        success: true,

        path: listing.path,

        count: listing.count,

Remediation

Either remove the undeclared side effect or amend the tool description + input schema to disclose it. Add machine-readable `destructiveHint`, `networkHint`, `filesystemHint` annotations when the MCP spec supports them.

Evidence

async rm(input: RmInput): Promise<string> {

      const { sessionId, path, recursive } = input;

      const session = sessionManager.getSession(sessionId);

      await SFTPOperations.remove(session, path, { recursive });

      return JSON.stringify({

        success: true,

        message: `Removed ${path}`

      });

    },

    /**

     * Get file/directory info

     */

    async stat(input: StatInput): Promise<string> {

      const { sessionId, path } = input;

Remediation

Wrap untrusted content with a clear delimiter naming the source, e.g. `<<<untrusted-content from example.com>>>` / `<<<end>>>`. Truncate to a known upper bound. Strip or neutralize model- directive markup (`<system>`, `[INST]`, role-turn markers) before returning. Optionally hash / quarantine large payloads and return only a summary plus a handle the agent can opt into.

Evidence

async exec(input: ExecInput): Promise<string> {

      const { sessionId, command, timeout } = input;

      const session = sessionManager.getSession(sessionId);

      const result = await SSHExecutor.executeCommand(session, command, { timeout });

      return JSON.stringify({

        success: result.exitCode === 0,

        stdout: result.stdout,

        stderr: result.stderr,

        exitCode: result.exitCode,

        signal: result.signal

      });

    },

    /**

     * Execute a command wit

Remediation

Wrap untrusted content with a clear delimiter naming the source, e.g. `<<<untrusted-content from example.com>>>` / `<<<end>>>`. Truncate to a known upper bound. Strip or neutralize model- directive markup (`<system>`, `[INST]`, role-turn markers) before returning. Optionally hash / quarantine large payloads and return only a summary plus a handle the agent can opt into.

Evidence

path: listing.path,

        count: listing.count,

        entries: listing.entries.map(e => ({

          name: e.filename,

          type: e.isDirectory ? 'directory' : e.isSymbolicLink ? 'symlink' : 'file',

          size: e.size,

          permissions: e.permissions.toString(8),

          modified: e.modifyTime.toISOString()

        }))

      });

    },

    /**

     * Create directory

     */

    async mkdir(input: MkdirInput): Promise<string> {

      const { sessionId, path, recursive } = in

Remediation

Wrap untrusted content with a clear delimiter naming the source, e.g. `<<<untrusted-content from example.com>>>` / `<<<end>>>`. Truncate to a known upper bound. Strip or neutralize model- directive markup (`<system>`, `[INST]`, role-turn markers) before returning. Optionally hash / quarantine large payloads and return only a summary plus a handle the agent can opt into.

Evidence

export const mkdirSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote directory path to create'),

  recursive: z.boolean().optional().default(false).describe('Create parent directories if needed')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const lsSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote directory path to list')

});

export const mkdirSchema = z.object({

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const rmSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote path to delete'),

  recursive: z.boolean().optional().default(false).describe('Delete directories recursively')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const readFileSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote file path to read'),

  encoding: z.string().optional().default('utf-8').describe('File encoding')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const writeFileSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote file path to write'),

  content: z.string().describe('File content to write'),

  encoding: z.string().optional().default('utf-8').describe('File encoding')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

*/

export const execSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  command: z.string().describe('Command to execute'),

  timeout: z.number().optional().default(30000).describe('Command timeout in milliseconds')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const sudoExecSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  command: z.string().describe('Command to execute with sudo'),

  sudoPassword: z.string().optional().describe('Sudo password (if required)'),

  timeout: z.number().optional().default(30000).describe('Command timeout in milliseconds')

});

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

export const statSchema = z.object({

  sessionId: z.string().describe('SSH session ID'),

  path: z.string().describe('Remote path to get info')

});

export const readFileSchema = z.object({

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# SSH/SFTP MCP Server

[![npm version](https://badge.fury.io/js/ssh-client-mcp.svg)](https://www.npmjs.com/package/ssh-client-mcp)

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

一个 MCP (Model Context Protocol) 服务器，让 Claude 等 AI 助手能够通过 SSH 执行远程命令和进行 SFTP 文件操作。

[English](./README.md) | **中文**

## 功能特性

- **服务器配置管理** - 支持通过命令行参数、配置文件或环境变量配置服务器

- **连接测试** - 在建立会话前测试服务器连通性

- **SSH 命令执行** - 远程执行命令，支持 sudo

- **SFTP 文件操作** - 上传、下载、列表、创建、删除文件

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

# SSH/SFTP MCP Server

[![npm version](https://badge.fury.io/js/ssh-client-mcp.svg)](https://www.npmjs.com/package/ssh-client-mcp)

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)

**English** | [中文](./README.zh-CN.md)

A Model Context Protocol (MCP) server that enables AI assistants like Claude to execute SSH commands and perform SFTP file operations on remote servers.

## Features

- **Server Configuration Management** - Define servers

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Remediation

Either: 1. Drop `notifications/tools/list_changed` from the server's capabilities and keep the tool list immutable for the lifetime of the connection, OR 2. Add a content-bound `version` / `etag` / `digest` field to each tool entry in `tools/list` responses. Recompute it whenever the handler / description / schema changes. The client can then surface an approval prompt on change.

Evidence

uses: actions/checkout@v4

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: '18'

          registry-url: 'https://registry.npmjs.org'

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Checkout code

        uses: actions/checkout@v4

      - name: Setup Node.js

        uses: actions/setup-node@v4

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

import { Client, SFTPWrapper } from 'ssh2';

import { v4 as uuidv4 } from 'uuid';

import * as fs from 'fs';

import type { SSHSession, SSHCredentials, SessionInfo } from './types.js';

/**

 * Manages SSH session lifecycle, connection pooling, and auto-cleanup

 */

export class SessionManager {

  private sessions: Map<string, SSHSession> = new Map();

  private sessionTimeout: number;

  private cleanupInterval: NodeJS.Timeout | null = null;

  private maxSessions: number;

  constructor(sessionTimeout

Remediation

Replace check-then-use with action-then-handle: Python: `try: with open(p) as f: ... except FileNotFoundError: ...` Node: `try { fs.readFileSync(p); } catch (e) { if (e.code === "ENOENT") ... }` For atomic file creation: Python: `os.open(p, os.O_RDWR | os.O_CREAT | os.O_EXCL)` Node: `fs.open(p, "wx")` — fails if file exists, no race. When you genuinely must check first, use `flock` (Python `fcntl`) or a similar per-process advisory lock to make the window uninteresting to a